Cryptographic processing system, key generation device, key delegation device, encryption device, decryption device, cryptographic processing method, and cryptographic processing program

ABSTRACT

It is an object of this invention to implement a predicate encryption scheme with delegation capability. A cryptographic process is performed using dual vector spaces (dual distortion vector spaces) of a space V and a space V* paired through a pairing operation. An encryption device generates as a cipher vector a vector in which transmission information is embedded, the cipher vector being the vector of the space V. Using a predetermined vector of the space V* as a key vector, a decryption device performs the pairing operation on the cipher vector generated by the encryption device and the key vector to decrypt the cipher vector and to extract information concerning the transmission information.

TECHNICAL FIELD

This invention relates to a hierarchical predicate key encapsulation mechanism (HPKEM) scheme and a hierarchical predicate encryption (HPE) scheme.

BACKGROUND ART

-   Non-Patent Literature 18 discusses implementation of HPKEM and HPE     schemes in dual spaces paired through a pairing operation.

CITATION LIST Non-Patent Literature

-   Non-Patent Literature 1: Bethencourt, J., Sahai, A., Waters, B.:     Ciphertext-policy attribute-based encryption. In: 2007 IEEE     Symposium on Security and Privacy, pp. 321-334. IEEE Press (2007) -   Non-Patent Literature 2: Boneh, D., Boyen, X.: Efficient     selective-ID secure identity based encryption without random     oracles. In: Cachin, C., Camenisch, J. (eds.) EUROCRYPT 2004. LNCS,     vol. 3027, pp. 223-238. Springer Heidelberg (2004) -   Non-Patent Literature 3: Boneh, D., Boyen, X.: Secure identity based     encryption without random oracles. In: Franklin, M. K. (ed.)     CRYPTO 2004. LNCS, vol. 3152, pp. 443-459. Springer Heidelberg     (2004) -   Non-Patent Literature 4: Boneh, D., Boyen, X., Goh, E.: Hierarchical     identity based encryption with constant size ciphertext. In: Cramer,     R (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440-456. Springer     Heidelberg (2005) -   Non-Patent Literature 5: Boneh, D., Franklin, M.: Identity-based     encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001.     LNCS, vol. 2139, pp. 213-229. Springer Heidelberg (2001) -   Non-Patent Literature 6: Boneh, D., Hamburg, M.: Generalized     identity based and broadcast encryption scheme. In: Pieprzyk, J.     (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 455-470. Springer     Heidelberg (2008) -   Non-Patent Literature 7: Boneh, D., Waters, B.: Conjunctive, subset,     and range queries on encrypted data. In: Vadhan, S. P. (ed.)     TCC 2007. LNCS, vol. 4392, pp. 535-554. Springer Heidelberg (2007) -   Non-Patent Literature 8: Boyen, X., Waters, B.: Anonymous     hierarchical identity-based encryption (without random oracles). In:     Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 290-307. Springer     Heidelberg (2006) -   Non-Patent Literature 9: Cocks, C.: An identity based encryption     scheme based on quadratic residues. In: Honary, B. (ed.) IMA Int.     Conf LNCS, vol. 2260, pp. 360-363. Springer Heidelberg (2001) -   Non-Patent Literature 10: Gentry, C.: Practical identity-based     encryption without random oracles. In: Vaudenay, S. (ed.)     EUROCRYPT 2006. LNCS, vol. 4004, pp. 445-464. Springer Heidelberg     (2006) -   Non-Patent Literature 11: Gentry, C., Halevi, S.: Hierarchical     identity-based encryption with polynomially many levels. In:     Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 437-456. Springer     Heidelberg (2009) -   Non-Patent Literature 12: Gentry, C., Silverberg, A.: Hierarchical     ID-based cryptography. In: Zheng, Y. (ed.) ASIACRYPT 2002. LNCS,     vol. 2501, pp. 548-566. Springer Heidelberg (2002) -   Non-Patent Literature 13: Goyal, V., Pandey, O., Sahai, A., Waters,     B.: Attribute-based encryption for fine-grained access control of     encrypted data. In: ACM Conference on Computer and Communication     Security 2006, pp. 89-98, ACM (2006) -   Non-Patent Literature 14: Groth, J., Sahai, A.: Efficient     non-interactive proof systems for bilinear groups. In: Smart, N. P.     (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415-432. Springer     Heidelberg (2008) -   Non-Patent Literature 15: Horwitz, J., Lynn, B.: Towards     hierarchical identity-based encryption. In: Knudsen, L. R. (ed.)     EUROCRYPT 2002. LNCS, vol. 2332, pp. 466-481. Springer Heidelberg     (2002) -   Non-Patent Literature 16: Katz, J., Sahai, A., Waters, B.: Predicate     encryption supporting disjunctions, polynomial equations, and inner     products. In: Smart, N. P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965,     pp. 146-162. Springer Heidelberg (2008) -   Non-Patent Literature 17: Okamoto, T., Takashima, K.: Homomorphic     encryption and signatures from vector decomposition. In:     Galbraith, S. D., Paterson, K. G. (eds.) Pairing 2008. LNCS, vol.     5209, pp. 57-74. Springer Heidelberg (2008) -   Non-Patent Literature 18: Okamoto, T., Takashima, K.: A geometric     approach on pairing and hierarchical predicate encryption. In:     Poster session, EUROCRYPT 2009. (2009) -   Non-Patent Literature 19: Ostrovsky, R., Sahai, A., Waters, B.:     Attribute-based encryption with non-monotonic access structures. In:     ACM Conference on Computer and Communication Security 2007, pp.     195-203, ACM, (2007) -   Non-Patent Literature 20: Pirretti, M., Traynor, P., McDaniel, P.,     Waters, B.: Secure attribute-based systems. In: ACM Conference on     Computer and Communication Security 2006, pp. 99-112, ACM, (2006) -   Non-Patent Literature 21: Sahni, A., Waters, B.: Fuzzy     identity-based encryption. In: Cramer, R. (ed.) EUROCRYPT 2005.     LNCS, vol. 3494, pp. 457-473. Springer Heidelberg (2005) -   Non-Patent Literature 22: Shi, E., Waters, B.: Delegating capability     in predicate encryption systems. In: Aceto, L., Damgard, I.,     Goldberg, L. A., Halldorsson, M. M., Ingolfsdottir, A.,     Walukiewicz, I. (eds.) ICALP (2) 2008. LNCS, vol. 5126, pp. 560-578.     Springer Heidelberg (2008) -   Non-Patent Literature 23: Takashima, K.: Efficiently computable     distortion maps for supersingular curves. In: van der Poorten, A.     J., Stein, A. (eds.) ANTS VIII, LNCS, vol. 5011, pp. 88-101.     Springer Heidelberg (2008) -   Non-Patent Literature 24: Waters, B: Ciphertext-policy     attribute-based encryption: an expressive, efficient, and provably     secure realization. ePrint, IACR, http://eprint.iacr.org/2008/290

DISCLOSURE OF INVENTION Technical Problem

In the HPKEM and HPE schemes proposed in Non-Patent Literature 18, security proof is given in an idealized (generic) model. However, in the HPKEM and HPE schemes proposed in Non-Patent Literature 18, security proof is not given in a standard model.

It is an object of this invention to provide a predicate encryption (PE) scheme and a predicate key encapsulation mechanism (PKEM) scheme with enhanced security. In particular, it is an object of this invention to provide a PE scheme and a PKEM scheme with delegation capability.

Solution to Problem

A cryptographic processing system according to this invention, for example, performs a predicate encryption process using dual vector spaces of a space V and a space V* paired through a pairing operation shown in Formula 1, and the cryptographic processing system comprises:

an encryption device that, using a processing device, generates as a cipher vector c₁ a vector of a basis B̂, the basis B̂having, out of basis vectors b_(i) (i=1, . . . , n, . . . , N) (N being an integer of 3 or greater and n being an integer from 1 to N−2) that constitute a predetermined basis B of the space V, basis vectors b_(i) (i=1, . . . , n) and a basis vector d_(n+1) which is a sum of two or more basis vectors b_(i) (i=n+1, . . . , m) out of the basis vectors b_(i) (i=n+1, . . . , N), the cipher vector c₁ being the vector in which attribute information is embedded as coefficients of one or more basis vectors out of the basis vector b_(i) (i=1, . . . , n), and predetermined information is embedded as a coefficient of the basis vector d_(n+1); and

a decryption device that, using the processing device, performs the pairing operation e (c₁, k*_(L,dec)) shown in Formula 1 on the cipher vector c₁ generated by the encryption device and a key vector k*_(L,dec) to decrypt the cipher vector c₁ and to extract a value concerning the predetermined information, the key vector k*_(L,dec) being a vector of a basis B* of the space V* and constructed such that predicate information is embedded as coefficients of one or more basis vectors of basis vectors b*_(i) (i=1, . . . , n) out of basis vectors b*_(i) (i=1, . . . , n, . . . , N) that constitute the basis B*, and coefficients of basis vectors b*_(i) (i=n+1, . . . , m) of the basis B* are embedded such that a sum of the coefficients of the basis vectors b*_(i) (i=n+1, . . . , m) is 1.

e(p,q):=Π_(i=1) ^(N) e(χ_(i) b _(i),η_(i) b* _(i))  [Formula 1]

where p:=Σ_(i=1) ^(N)χ_(i)b_(i), q:=Σ_(i=1) ^(N)η_(i)b_(i)*, χ_(i),η_(i): predetermined values.

Advantageous Effects of Invention

A cryptographic system according to this invention can implement a predicate encryption (PE) scheme and a predicate key encapsulation mechanism (PKEM) scheme with enhanced security.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a diagram for explaining a notion of “delegation (hierarchical delegation)”;

FIG. 2 is a diagram for explaining delegation skipping over a level;

FIG. 3 is a diagram showing hierarchical structures of attribute information and predicate information;

FIG. 4 is a diagram showing an example of a hierarchical identity-based encryption (HIBE) scheme which is an application example of a hierarchical predicate encryption (HPE) scheme for inner-product predicates;

FIG. 5 is a diagram for explaining a basis and a basis vector;

FIG. 6 is a diagram for explaining an example of a method for implementing a hierarchical structure in a vector space;

FIG. 7 is a configuration diagram of a cryptographic processing system 10;

FIG. 8 is a flowchart showing operations of a key generation device 100, an L-th level encryption device 200, and an L-th level decryption device 300 of the cryptographic processing system 10;

FIG. 9 is a flowchart showing operations of an L-th level key delegation device 400, an (L+1)-th level encryption device 200 and an (L+1)-th level decryption device 300 of the cryptographic processing system 10;

FIG. 10 is a diagram for explaining a base change method;

FIG. 11 is a functional block diagram showing functions of the cryptographic processing system 10 that implements an HPE scheme according to a second embodiment;

FIG. 12 is a flowchart showing operations of the key generation device 100 according to the second embodiment;

FIG. 13 is a flowchart showing operations of the encryption device 200 according to the second embodiment;

FIG. 14 is a flowchart showing operations of the decryption device 300 according to the second embodiment;

FIG. 15 is a flowchart showing operations of the key delegation device 400 according to the second embodiment;

FIG. 16 is a conceptual diagram showing a structure of a basis of dual pairing vector spaces according to the second embodiment;

FIG. 17 is a functional block diagram showing functions of the cryptographic processing system 10 that implements a hierarchical predicate key encapsulation mechanism (HPKEM) scheme according to the second embodiment;

FIG. 18 is a flowchart showing operations of the encryption device 200 according to the second embodiment;

FIG. 19 is a flowchart showing operations of the decryption device 300 according to the second embodiment;

FIG. 20 is a functional block diagram showing functions of the cryptographic processing system 10 that implements a predicate encryption (PE) scheme with delegation capability according to a third embodiment; and

FIG. 21 is a diagram showing an example of a hardware configuration of the key generation device 100, the encryption device 200, the decryption device 300, and the key delegation device 400.

DESCRIPTION OF PREFERRED EMBODIMENTS

Embodiments of the invention will now be described with reference to drawings.

In the following description, a processing device is a CPU 911 or the like to be described later. A storage device is a ROM 913, a RAM 914, a magnetic disk 920 or the like to be described later. A communication device is a communication board 915 or the like to be described later. An input device is a keyboard 902, the communication board 915 or the like to be described later. An output device is the RAM 914, the magnetic disk 920, the communication board 915, an LCD 901 or the like to be described later. That is, the processing device, the storage device, the communication device, the input device, and the output device are hardware.

Notations to be used in the following description will be described.

When A is a random variable or distribution, Formula 101 denotes that y is randomly selected from A according to the distribution of A. That is, y is a random number in Formula 101.

$\begin{matrix} {y\overset{\mspace{25mu} R\mspace{20mu}}{\leftarrow}A} & \left\lbrack {{Formula}\mspace{14mu} 101} \right\rbrack \end{matrix}$

When A is a set, Formula 102 denotes that y is uniformly selected from A.

That is, y is a uniform random number in Formula 102.

$\begin{matrix} {y\overset{\mspace{25mu} U\mspace{20mu}}{\leftarrow}A} & \left\lbrack {{Formula}\mspace{14mu} 102} \right\rbrack \end{matrix}$

Formula 103 denotes that y is set, defined or substituted by z.

y:=z  [Formula 103]

When a is a fixed value, Formula 104 denotes that a machine (algorithm) A outputs a on an input x.

A(x)→a  [Formula 104]

For example,

A(x)→1

A vector symbol denotes a vector representation over a finite field F_(q), that is, Formula 105.

{right arrow over (x)} denotes

(x ₁ , . . . ,x _(n))ε

_(q).  [Formula 105]

Formula 106 denotes the inner-product of two vectors x{right arrow over ( )} and v{right arrow over ( )} shown in Formula 107, and Formula 108 shows this inner-product.

{right arrow over (x)}·{right arrow over (v)}  [Formula 106]

{right arrow over (x)}=(x ₁ , . . . ,x _(n))

{right arrow over (v)}=(v ₁ , . . . ,v _(n))  [Formula 107]

Σ_(i=1) ^(n) x _(i) v _(i)  [Formula 108]

X^(T) denotes the transpose of a matrix X.

In the following description, a cryptographic process shall include an encryption process, a decryption process, and a key generation process, and shall also include a key encapsulation process.

First Embodiment

In this embodiment, basic concepts for implementing a “predicate encryption (PE) scheme with delegation” and a “predicate key encapsulation mechanism (PKEM) scheme with delegation” to be discussed in subsequent embodiments will be described, together with basic constrictions of the PE (PKEM) scheme with delegation.

Firstly, a notion of a “PE (PKEM) scheme with delegation for inner-product predicates”, which is a type of PE (PKEM) scheme with delegation, will be described. The PE (PKEM) schemes with delegation to be discussed in the subsequent embodiments are PE (PKEM) schemes with delegation for inner-product predicates. To describe the notion of the PE scheme with delegation for inner-product predicates, a notion of “delegation” will be described first, together with a notion of “hierarchical delegation”. Then, the “PE scheme for inner-product predicates” will be described. Then, a “hierarchical PE (HPE) scheme for inner-product predicates (hierarchical PKEM (HPKEM) scheme for inner-product predicates), which is a type of PE scheme for inner-product predicates with the notion of hierarchical delegation, will be described. Further, to reinforce the understanding of the HPE scheme for inner-product predicates, an application example of the HPE scheme for inner-product predicates will be described.

Secondly, the HPE scheme for inner-product predicates in vector spaces will be described. In this and subsequent embodiments, the HPE and HPKEM schemes for inner-product predicates are implemented in vector spaces. A “base” and a “basis vector” will be described first. Then, the “PE scheme for inner-product predicates in vector spaces” will be described. Then, a “method for implementing a hierarchical structure in a vector space” will be described. Further, to reinforce the understanding, an implementation example of the hierarchical structure will be described.

Thirdly, basic constructions of the “HPE and HPKEM schemes” according to this and subsequent embodiments will be described. A “cryptographic processing system 10” that implements the HPE and HPKEM schemes will also be described. Fourthly, concepts for implementing the HPKEM and HPE schemes will be described. “Bilinear pairing groups”, “vector spaces V and V*”, “canonical dual bases A and A*”, “pairing operation”, “base change”, and “distortion maps” will be described.

Fifthly, “dual pairing vector spaces (DPVS)” having rich mathematical structures for implementing the HPKEM and HPE schemes will be described.

Sixthly, based on the above descriptions, a method for implementing the HPE and HPKEM schemes to be discussed in detail in the subsequent embodiments will be briefly described.

<1. HPE Scheme for Inner-Product Predicates>

<1-1. Notion of Delegation (Hierarchical Delegation)>

FIG. 1 is a diagram for explaining the notion of “delegation (hierarchical delegation)”.

Delegation means that a user who has a higher level key generates a lower level key having more limited capabilities than the user's (higher level) key.

In FIG. 1, a root (key generation device) generates secret keys for first level (level-1) users by using a master secret key. That is, the root generates keys 1, 2, and 3 for first level users 1, 2, and 3, respectively. Then, by using the key 1, for example, the user 1 can generate keys 11, 12, and 13 for users 11, 12, and 13, respectively, who are lower (first) level users of the user 1. The keys 11, 12, and 13 possessed by the users 11, 12, and 13 have more limited capabilities than the key 1 possessed by the user 1. The limited capabilities mean that ciphertexts that can be decrypted by that secret key are limited. That is, a lower level secret key can only decrypt some of ciphertexts that can be decrypted by a higher level secret key. This means that the keys 11, 12, and 13 possessed by the users 11, 12, and 13 can only decrypt some of ciphertexts that can be decrypted by the key 1 possessed by the user 1. Normally, the keys 11, 12, and 13 can decrypt respectively different ciphertexts. On the other hand, a ciphertext that can be decrypted by the keys 11, 12, or 13 can be decrypted by the key 1.

As shown in FIG. 1, each secret key is provided for a specific level. This is described as “hierarchical”. That is, as shown in FIG. 1, hierarchical generation of lower level keys is called “hierarchical delegation”.

In FIG. 1, it has been described that the root generates the secret keys for the first level users, the first level users generate the secret keys for the second level users, and the second level users generate the secret keys for the third level users. However, as shown in FIG. 2, the root can generate not only the secret keys for the first level users, but also the secret keys for the second or lower level users. Likewise, the first level users can generate not only the secret keys for the second level users, but also the secret keys for the third or lower level users. That is, the root or each user can generate the secret keys for levels lower than the level of its own secret key.

<1-2. PE scheme for Inner-Product Predicates>

Next, the “PE scheme for inner-product predicates” will be described.

The PE scheme is a cryptographic scheme in which a ciphertext can be decrypted if a result of inputting attribute information x to predicate information f_(v) is 1 (true) (f_(v)(x)=1). Normally, the attribute information x is embedded in a ciphertext, and the predicate information f_(v) is embedded in a secret key. That is, in the PE scheme, a ciphertext c encrypted based on the attribute information x is decrypted by a secret key SK_(f) generated based on the predicate information f_(v). The PE scheme may be described as a cryptographic scheme in which, for example, the predicate information f_(v), is a conditional expression and the attribute information x is information to be input to the conditional expression, and a ciphertext can be decrypted if the input information (attribute information x) satisfies the conditional expression (predicate information f_(v)) (f_(v)(x)=1).

The PE scheme is discussed in detail in Non-Patent Literature 16.

The PE scheme for inner-product predicates is a type of PE scheme in which f_(v)(x)=1 if the inner-product of attribute information x and predicate information f_(v) is a predetermined value. That is, a ciphertext c encrypted by the attribute information x can be decrypted by a secret key SK_(f) generated based on the predicate information f_(v) if and only if the inner-product of the attribute information x and the predicate information f_(v) is a predetermined value. In the following description, it is assumed that f_(v)(x)=1 if the inner-product of the attribute information x and the predicate information f_(v) is 0.

<1-3. HPE Scheme for Inner-Product Predicates>

The HPE (HPKEM) scheme for inner-product predicates is a type of “PE scheme for inner-product predicates” with the above-described notion of “hierarchical delegation”.

In the HPE scheme for inner-product predicates, attribute information and predicate information have hierarchical structures, in order to add a hierarchical delegation system to the PE scheme for inner-product predicates.

FIG. 3 is a diagram showing hierarchical structures of attribute information and predicate information.

In FIG. 3, attribute information and predicate information with the same reference numerals correspond to each other (i.e., their inner-product is 0). That is, the inner-product of an attribute 1 and a predicate 1 is 0, the inner-product of an attribute 11 and a predicate 11 is 0, the inner-product of an attribute 12 and a predicate 12 is 0, and the inner-product of an attribute 13 and a predicate 13 is 0. This means that a ciphertext c1 encrypted by the attribute 1 can be decrypted by a secret key k1 generated based on the predicate 1. A ciphertext c11 encrypted by the attribute 11 can be decrypted by a secret key k11 generated based on the predicate 11. The same can be said of the attribute 12 and the predicate 12 as well as the attribute 13 and the predicate 13.

As described above, the HPE scheme for inner-product predicates has the hierarchical delegation system. Thus, the secret key k11 can be generated based on the predicate 11 and the secret key k1 generated based on the predicate 1. That is, a user having the higher level secret key k1 can generate its lower level secret key k11 from the secret key k1 and the lower level predicate 11. Likewise, a secret key k12 can be generated from the secret key k1 and the predicate 12, and a secret key k13 can be generated from the secret key k1 and the predicate 13.

A ciphertext encrypted by a key (public key) corresponding to a lower level secret key can be decrypted by a higher level secret key. On the other hand, a ciphertext encrypted by a key (public key) corresponding to a higher level secret key cannot be decrypted by a lower level secret key. That is, the ciphertexts c11, c12, and c13 encrypted by the attributes 11, 12, and 13, respectively, can be decrypted by the secret key k1 generated based on the predicate 1. On the other hand, the ciphertext c1 encrypted by the attribute 1 cannot be decrypted by the secret keys k11, k12, and k13 generated based on the predicates 11, 12, and 13, respectively. That is, the inner-product of the attribute 11, 12, or 13 and the predicate 1 is 0. On the other hand, the inner-product of the attribute 1 and the predicate 11, 12, or 13 is not 0.

<1-4. Application Example of the HPE Scheme for Inner-Product Predicates>

FIG. 4 is a diagram showing an example of a hierarchical identity-based encryption (HIBE) scheme, which is an application example of the HPE scheme for inner-product predicates to be described later. The HIBE scheme is a cryptographic process in which the notion of hierarchical is applied to an identity-based encryption (IBE) scheme. The IBE scheme is a type of PE scheme, namely, a matching PE scheme, which allows a ciphertext to be decrypted if an ID included in the ciphertext matches an ID included in a secret key.

In the example shown in FIG. 4, based on a master secret key sk and an ID “A” of Company A, a root (key generation device) generates a secret key (key A) corresponding to the ID “A”. For example, based on the key A and the ID of each division, a security administrator of Company A generates a secret key corresponding to that ID. For example, the security administrator generates a secret key (key 1) corresponding to an ID “A-1” of a sales division. Then, based on the secret key of each division and the ID of each unit belonging to that division, for example, an administrator of each division generates a secret key corresponding to that ID. For example, an administrator of the sales division generates a secret key (key 11) corresponding to an ID “A-11” of a sales unit 1.

In this case, a ciphertext encrypted by the ID “A-11” of the sales unit 1 can be decrypted by the key 11 which is the secret key corresponding to the ID “A-11” of the sales unit 1. However, a ciphertext encrypted by the ID of a sales unit 2 or a sales unit 3 cannot be decrypted by the key 11. Also, a ciphertext encrypted by the ID of the sales division cannot be decrypted by the key 11.

A ciphertext encrypted by the ID “A-1” of the sales division can be decrypted by the key 1 which is the secret key corresponding to the ID “A-1” of the sales division. Also, a ciphertext encrypted by the ID of a unit belonging to the sales division can be decrypted by the key 1. That is, a ciphertext encrypted by the ID of the sales unit 1, 2, or 3 can be decrypted by the key 1. However, a ciphertext encrypted by the ID of a manufacturing division (ID: A-2) or a staff division (ID: A-3) cannot be decrypted by the key 1. Also, a ciphertext encrypted by the ID of Company A cannot be decrypted by the key 1.

A ciphertext encrypted by the ID “A” of Company A can be decrypted by the key A which is the secret key corresponding to the ID “A” of Company A. Also, a ciphertext encrypted by the ID of each division belonging to Company A or the ID of a unit belonging to each division can be decrypted by the key A.

The HPE scheme for inner-product predicates can be adapted to various applications other than the IBE scheme. In particular, the cryptographic processes to be described later are not limited to a class of equality tests, so that they can be applied to a vast number of applications. For example, the cryptographic processes can also be adapted for other types of PE scheme for inner-product predicates such as a searchable encryption scheme, making it possible to implement applications that are not possible with a prior art PE scheme with the delegation system, such as limiting a searchable range at each level by using a conditional expression such as AND or OR.

That is, the HPKEM and HPE schemes to be described in the subsequent embodiments can be applied to a wide variety of applications such as the IBE and searchable encryption schemes.

<2. HPE Scheme for Inner-Product Predicates in Vector Spaces>

The HPKEM and HPE schemes are implemented in high-dimensional vector spaces called dual pairing vector spaces (DPVS) to be described later. Thus, the HPE scheme for inner-product predicates in vector spaces will be described.

<2-1. Basis and Basis Vector>

First, a “basis” and a “basis vector” to be used for explaining a vector space will be briefly explained.

FIG. 5 is a diagram for explaining the basis and the basis vector.

FIG. 5 shows a vector v of a 2-dimensional vector space. The vector v is c₁a₁+c₂a₂. Further, the vector v is y₁b₁+y₂b₂. Here, a₁ and a₂ are called basis vectors in a basis A, and are represented as basis A: =(a₁, a₂). b₁ and b₂ are called basis vectors in a basis B, and are represented as basis B: =(b₁, b₂). c₁, c₂, y₁, and y₂ are coefficients of respective basis vectors. FIG. 5 shows a 2-dimensional vector space, so that there are two basis vectors in each basis. In an N-dimensional vector space, there are an N number of basis vectors in each basis.

<2-2. PE Scheme for Inner-Product Predicates in Vector Spaces>

The PE scheme for inner-product predicates in vector spaces will now be described.

As described above, the PE scheme for inner-product predicates is a type of PE scheme in which f_(v)(x)=1 if the inner-product of the attribute information x and the predicate information f_(v) is a predetermined value (0 in this case). When the attribute information x and the predicate information f_(v) are vectors, namely, an attribute vector x{right arrow over ( )} and a predicate vector v{right arrow over ( )}, their inner-product predicate is defined as shown in Formula 109.

If {right arrow over (x)}·{right arrow over (v)}=Σ _(i=1) ^(n) x _(i) v _(i)=0, then f _({right arrow over (v)})({right arrow over (x)})=1, and

if {right arrow over (x)}·{right arrow over (v)}=Σ _(i=1) ^(n) x _(i) v _(i)≠0, then f _({right arrow over (v)})({right arrow over (x)})=0,  [Formula 109]

where {right arrow over (x)}=(x₁, . . . , x_(n)), {right arrow over (v)}=(v₁, . . . , v_(n)),

That is, it is a type of PE scheme in which a result of inputting the attribute information x to the predicate information f_(v) is 1 (true) if the inner-product of the attribute vector x{right arrow over ( )} and the predicate vector v{right arrow over ( )} (i.e., the sum of element-wise inner-products) is 0, and a result of inputting the attribute information x to the predicate information f_(v) is 0 (false) if the inner-product of the attribute vector x{right arrow over ( )} and the predicate vector v{right arrow over ( )} is not 0.

<2-3. Method for Implementing a Hierarchical Structure in a Vector Space>

A method for implementing a hierarchical structure in a vector space will now be described.

FIG. 6 is a diagram for explaining an example of the method for implementing a hierarchical structure in a vector space.

The vector space here is assumed to be a high-dimensional (N-dimensional) vector space. That is, there exist an N number of basis vectors c_(i) (i=1, . . . , N) in a predetermined basis C of the vector space.

An n number of basis vectors (basis vectors c_(i) (i=1, . . . , n)) out of the N number of basis vectors are used to represent the hierarchical structure. The basis vectors c_(i) (i=1, . . . , n) are divided into a d number of groups, namely, basis vectors c_(i) (i=1, . . . , μ₁), basis vectors c_(i) (i=μ₁+1, . . . , μ₂), . . . , and basis vectors c_(i) (i=μ_(d−1)+1, . . . , n), where d denotes a depth of hierarchy.

Then, a μ₁ number of basis vectors c_(i) (i=1, . . . , μ_(i)) are assigned to represent attribute information and predicate information of the first level. A (μ₂−μ₁) number of basis vectors c_(i) (i=μ₁+1, μ₂) are assigned to represent attribute information and predicate information of the second level. Likewise, a (μ_(d)−μ_(d−1)) number of basis vectors c_(i) (i=μ_(d−1)+1, . . . , μ_(d) (=n)) are assigned to represent attribute information and predicate information of the d-th level.

To generate a ciphertext by L-th level attribute information, not only L-th level but first to L-th level attribute information is used to generate a ciphertext. Likewise, to generate a secret key by L-th level predicate information, not only L-th level but first to L-th level predicate information is used to generate a secret key. That is, to generate a ciphertext by the L-th level attribute information, or to generate a secret key by the L-th level predicate information, a μ_(L) number of basis vectors c_(i) (i=1, . . . , μ_(L)) assigned to the first to L-th levels are used. For example, to generate a ciphertext by third level attribute information, a μ₃ number of basis vectors c_(i) (i=1, . . . , μ_(L)) assigned to the first to third levels are used to generate a ciphertext, such that first to third level attribute information is reflected. Likewise, to generate a secret key by third level predicate information, the μ₃ number of basis vectors c_(i) (i=1, . . . , μ₃) assigned to the first to third levels are used to generate a secret key, such that first to third level predicate information is reflected. That is, attribute information or predicate information to be used at a lower level includes attribute information or predicate information to be used at a higher level. In this way, attribute information and predicate information each have a hierarchical structure. Then, by using the hierarchical structures of attribute information and predicate information, a delegation system is incorporated in the PE scheme for inner-product predicates.

In the following description, a format of hierarchy μ{right arrow over ( )} is used to denote a hierarchical structure of a vector space. The format of hierarchy μ{right arrow over ( )} is shown in Formula 110.

{right arrow over (μ)}:=(n,d;μ ₁, . . . ,μ_(d))  [Formula 110]

where μ₀=0<μ₁<μ₂< . . . <μ_(d)=n.

That is, the format of hierarchy μ{right arrow over ( )}has information n which denotes the number of basis vectors (number of dimensions) assigned to represent the hierarchical structure, information d which denotes the depth of hierarchy, and information μ₁, . . . ,μ_(d) which denote basis vectors assigned to each level.

The HPE scheme for inner-product predicates in vector spaces will now be described.

Let an attribute space Σ_(L) (L=1, . . . , d) be a space assigned to represent L-th level attribute information, where each Σ_(L) is as shown in Formula 111.

Σ_(L)ρ

μ_(L)−μ_(L−1)\{{right arrow over (0)}}  [Formula 111]

Let a set of hierarchical attributes be Σ shown in Formula 112, where the union is a disjoint union.

Σ:=∪_(L=1) ^(d)(Σ₁× . . . ×Σ_(L))  [Formula 112]

Then, hierarchical predicates shown in Formula 114 on hierarchical attributes shown in Formula 113 are defined as shown in Formula 115.

({right arrow over (x)} ₁ , . . . ,{right arrow over (x)} _(h))εΣ  [Formula 113]

f({right arrow over (v)} ₁ , . . . ,{right arrow over (v)} _(L))  [Formula 114]

where {right arrow over (v)} _(i)ε

_(q)μ_(i)−μ_(i−1)\{{right arrow over (0)}}.

If and only if L≦h and

{right arrow over (x)} _(i) ·{right arrow over (v)} _(i)=0 for all 1≦i≦L, then

f _(({right arrow over (v)}) ₁ _(, . . . ,{right arrow over (v)}) _(L) ₎({right arrow over (x)} ₁ , . . . ,{right arrow over (x)} _(h))=1.  [Formula 115]

Let a space of hierarchical predicates be F shown in Formula 116.

:={f _(({right arrow over (v)}) ₁ _(, . . . ,{right arrow over (v)}) _(L) ₎ |{right arrow over (v)} _(i)ε

_(q)μ_(i)−μ_(i−1)\{{right arrow over (0)}}}  [Formula 116]

Let h in Formula 117 and L in Formula 118 each be called a level.

({right arrow over (x)} ₁ , . . . ,{right arrow over (x)} _(h))  [Formula 117]

({right arrow over (v)} ₁ , . . . ,{right arrow over (v)} _(L))

<2-4 Implementation Example of the Hierarchical Structure>

The hierarchical structure will be explained by using a simple example, where 6-dimensional space having three levels, each level consisting of 2-dimensional space, is employed. That is, μ{right arrow over ( )}:=(n, d; μ_(1, . . . , μ) _(d))=(6, 3; 2, 4, 6).

A user who has a first level secret key sk₁ generated based on a first level predicate vector v{right arrow over ( )}=(v₁, v₂) can generate a second level secret key sk₂ based on the first level secret key sk₁ and a second level predicate vector v{right arrow over ( )}₂:=(v₃, v₄). That is, the second level secret key sk₂ is generated based on the predicate vectors (v{right arrow over ( )}₁, v{right arrow over ( )}₂). Likewise, a user who has the second level secret key sk₂ can generate a third level secret key sk₃ based on the second level secret key sk₂ and a third level predicate vector v{right arrow over ( )}₃:=(v₅, v₆). That is, the third level secret key sk₃ is generated based on the predicate vectors (v{right arrow over ( )}₁, v{right arrow over ( )}₂, v{right arrow over ( )}₃).

The first level secret key sk₁ generated based on the first level predicate vector v{right arrow over ( )}₁ is a secret key generated by (v{right arrow over ( )}₁, (0, 0), (0, 0)). Thus, the first level secret key sk₁ can decrypt a ciphertext encrypted by an attribute vector (x{right arrow over ( )}₁, (*, *), (*, *)):=((x₁, x₂), (*, *), (*, *)) if v{right arrow over ( )}₁·x{right arrow over ( )}₁=0. This is because (*, *)·(0, 0)=0. Here, “*” denotes an arbitrary value.

Likewise, the second level secret key sk₂ generated based on the second level predicate vectors (v{right arrow over ( )}₁, v{right arrow over ( )}₂) is a secret key generated by (v{right arrow over ( )}₁, v{right arrow over ( )}₂, (0, 0)). Thus, the second level secret key sk₂ can decrypt a ciphertext encrypted by attribute vectors (x{right arrow over ( )}₁, x{right arrow over ( )}₂, (*, *)):=((x₁, x₂), (x₃, x₄), (*, *)) if v{right arrow over ( )}₁·x{right arrow over ( )}₁=0 and v{right arrow over ( )}₂·x{right arrow over ( )}₂=0.

However, the second level secret key sk₂ cannot decrypt a ciphertext encrypted by the first level attribute vector x{right arrow over ( )}₁:=(x₁, x₂) (i.e., (x{right arrow over ( )}₁, (*, *), (*, *)). This is because if not v{right arrow over ( )}₂=(0, 0), then (*, *)·v{right arrow over ( )}₂≠0 and v{right arrow over ( )}₂·x{right arrow over ( )}₂≠0. Therefore, it can be stated that the second level secret key sk₂ has more limited capabilities than the parent secret key sk₂.

<3. Constructions of the HPE and HPKEM Schemes>

<3-1. HPE Scheme>

A construction of the HPE scheme will be briefly described.

The HPE scheme includes five probabilistic polynomial-time algorithms: Setup, GenKey, Enc, Dec, and Delegate_(L) (L=1, . . . , d−1).

(Setup)

The Setup algorithm takes as input a security parameter 1^(λ) and a format of hierarchy μ{right arrow over ( )}, and outputs a master public key pk and a master secret key sk. The master secret key sk is a top level key.

(GenKey)

The GenKey algorithm takes as input the master public key pk, the master secret key sk, and predicate vectors shown in Formula 119, and outputs an L-th level secret key shown in Formula 120.

({right arrow over (v)} ₁ , . . . ,{right arrow over (v)} _(L))  [Formula 119]

sk _(({right arrow over (v)}) ₁ _(, . . . ,{right arrow over (v)}) _(L) ₎  [Formula 120]

(Enc)

The Enc algorithm takes as input the master public key pk, attribute vectors shown in Formula 121, and a message m, and outputs a ciphertext c. That is, the Enc algorithm outputs the ciphertext c containing the message m and encrypted by the attribute vectors shown in Formula 121.

({right arrow over (x)} ₁ , . . . ,{right arrow over (x)} _(h))  [Formula 121]

where 1≦h≦d.

(Dec)

The Dec algorithm takes as input the master public key pk, the L-th level secret key shown in Formula 122, and the ciphertext c, and outputs either the message m or a distinguished symbol ⊥. The distinguished symbol ⊥ is information indicating decryption failure. That is, the Dec algorithm decrypts the ciphertext c by the L-th level secret key, and extracts the message m. In case of decryption failure, the Dec algorithm outputs the distinguished symbol ⊥.

sk _(({right arrow over (v)}) ₁ _(, . . . ,{right arrow over (v)}) _(L) ₎  [Formula 122]

where

1≦L≦d.

(Delegate_(L))

Delegate_(L) takes as input the master public key pk, the L-th level secret key shown in Formula 123, and an (L+1)-th level predicate vector shown in Formula 124, and outputs an (L+1)-th level secret key shown in Formula 125. That is, the Delegate_(L) algorithm outputs a lower level secret key.

sk _(({right arrow over (v)}) ₁ _(, . . . ,{right arrow over (v)}) _(L) ₎  [Formula 123]

{right arrow over (v)} _(L+1)  [Formula 124]

sk _(({right arrow over (v)}) ₁ _(, . . . ,{right arrow over (v)}) _(L+1) ₎  [Formula 125]

<3-2. HPE Scheme>

A construction of the HPKEM scheme will be briefly explained.

As with the HPE scheme, the HPKEM scheme includes five probabilistic polynomial-time algorithms: Setup, GenKey, Enc, Dec, and Delegate_(L) (L=1, . . . , d−1).

(Setup)

The Setup algorithm takes as input a security parameter 1^(λ) and a format of hierarchy μ{right arrow over ( )}, and outputs a master public key pk and a master secret key sk. The master secret key sk is a top level key.

(GenKey)

The GenKey algorithm takes as input the master public key pk, the master secret key sk, and predicate vectors shown in Formula 126, and outputs an L-th level secret key shown in Formula 127.

({right arrow over (v)} ₁ , . . . ,{right arrow over (v)} _(L))  [Formula 126]

sk _(({right arrow over (v)}) ₁ _(, . . . ,{right arrow over (v)}) _(L) ₎  [Formula 127]

(Enc)

The Enc algorithm takes as input the master public key pk and attribute vectors shown in Formula 128, and outputs a ciphertext c and a session key K. That is, the Enc algorithm outputs the ciphertext c containing predetermined information (ρ) and encrypted by the attribute vectors shown in Formula 128 as well as the session key K generated from the predetermined information (ρ).

({right arrow over (x)} ₁ , . . . ,{right arrow over (x)} _(h))  [Formula 128]

where 1≦h≦d.

(Dec)

The Dec algorithm takes as input the master public key pk, the L-th level secret key shown in Formula 129, and the ciphertext c, and outputs either the session key K or a distinguished symbol ⊥. The distinguished symbol ⊥ is information indicating decryption failure. That is, the Dec algorithm decrypts the ciphertext c by the L-th level secret key, extracts the information on the predetermined information (ρ), and generates the session key K. In case of decryption failure, the Dec algorithm outputs the distinguished symbol ⊥.

sk _(({right arrow over (v)}) ₁ _(, . . . ,{right arrow over (v)}) _(L) ₎  [Formula 129]

(Delegate_(L))

The Delegate_(L) algorithm takes as input the master public key pk, the L-th level secret key shown in Formula 130, and an (L+1)-th level predicate vector shown in Formula 131, and outputs an (L+1)-th level secret key shown in Formula 132. That is, the Delegate_(L) algorithm outputs a lower level secret key.

sk _(({right arrow over (v)}) ₁ _(, . . . ,{right arrow over (v)}) _(L) ₎  [Formula 130]

{right arrow over (v)} _(L+1)  [Formula 131]

sk _(({right arrow over (v)}) ₁ _(, . . . ,{right arrow over (v)}) _(L+1) ₎  [Formula 132]

<3-3. Cryptographic Processing System 10>

The cryptographic processing system 10 will be described. The cryptographic processing system 10 executes the above-described algorithms of the HPE and HPKEM schemes.

FIG. 7 is a configuration diagram of the cryptographic processing system 10.

The cryptographic processing system 10 includes a key generation device 100, an encryption device 200, a decryption device 300, and a key delegation device 400. Here, the decryption device 300 includes the key delegation device 400. As described above, the cryptographic processing system 10 implements hierarchical cryptographic processes, so that it includes a plurality of the encryption devices 200, a plurality of the decryption devices 300, and a plurality of the key delegation devices 400.

The key generation device 100 executes the Setup and GenKey algorithms of the HPKEM and HPE schemes.

The encryption device 200 executes the Enc algorithm of the HPKEM and HPE schemes.

The decryption device 300 executes the Dec algorithm of the HPKEM and HPE schemes.

The key delegation device 400 executes the Delegate', algorithm of the HPKEM and HPE schemes.

FIG. 8 is a flowchart showing operations of the key generation device 100, an L-th level encryption device 200, and an L-th level decryption device 300 of the cryptographic processing system 10. That is, FIG. 8 is a flowchart showing operations from the generation of master keys (a master public key and a master secret key) and the generation of an L-th level secret key to the encryption and decryption at the L-th level.

(S101: Key Generation Step)

The key generation device 100 executes the Setup algorithm to generate a master public key pk and a master secret key sk. Based on the generated master public key pk, the generated master secret key sk, and a predicate vector v{right arrow over ( )}_(L)(v{right arrow over ( )}_(L)=(v₁, . . . , v_(i)) (i=μ_(L))) corresponding to a predetermined decryption device 300 (the L-th level decryption device 300), the key generation device 100 executes the GenKey algorithm to generate an L-th level secret key. Then, the key generation device 100 publishes (distributes) the generated master public key pk, and secretly provides the L-th level secret key to the predetermined decryption device 300 The key generation device 100 secretly keeps the master secret key.

(S102: Encryption Step)

Based on the master public key pk distributed by the key generation device 100 in (S101) and an attribute vector x{right arrow over ( )}_(L) (x{right arrow over ( )}_(L)=(x₁, . . . , x_(i)) (i=μ_(L))) of the decryption device 300, the encryption device 200 executes the Enc algorithm to generate a ciphertext c. In the case of the HPKEM scheme, the encryption device 200 also generates a session key K. Then, the encryption device 200 transmits the generated ciphertext c to the decryption device 300 through a network or the like. The attribute vector x{right arrow over ( )}_(L) may be public, or may be obtained by the encryption device 200 from the key generation device 100 or the decryption device 300.

(S103: Decryption Step)

Based on the master public key pk and the L-th level secret key provided by the key generation device 100 in (S101), the decryption device 300 executes the Dec algorithm to decrypt the ciphertext c received from the encryption device 200. As a result of decrypting the ciphertext c, the decryption device 300 obtains the session key K in the case of the HPKEM scheme, or obtains a message m in the case of the HPE scheme. In case of decryption failure, the decryption device 300 outputs a distinguished symbol ⊥.

FIG. 9 shows a flowchart showing operations of an L-th level key delegation device 400, an (L+1)-th level encryption device 200, and an (L+1)-th level decryption device 300 of the cryptographic processing system 10. That is, FIG. 9 is a flowchart showing operations from the generation of an (L+1)-th level secret key to the encryption and decryption at the (L+1)-th level.

(S201: Key Delegation Step)

Based on the master public key pk distributed by the key generation device 100 in (S101), the L-th level secret key provided by the key generation device 100 or an (L−1)-th level key delegation device 400, and a predicate vector v{right arrow over ( )}_(L+1) ({right arrow over ( )}_(L+1)=(v_(i), . . . , v_(j)) (i=μ_(L)1, j=μ_(L+1))) corresponding to the (L+1)-th level decryption device 300, the L-th level delegation device 400 (the key delegation device 400 included in the L-th level decryption device 300) executes the Delegate_(L) algorithm to generate an (L+1)-th level secret key. Then, the L-th level key delegation device 400 secretly provides the generated secret key to the (L+1)-th level decryption device 300.

(S202: Encryption Step)

Based on the master public key pk distributed by the key generation device 100 in (S101) and attribute vectors to x{right arrow over ( )}₁ to x{right arrow over ( )}_(L+1) (x{right arrow over ( )}_(i) (i=1, . . . , L+1) (=(x₁, . . . , x_(i)) (i=μ_(L+1)))) of the first to (L+1)-th level decryption devices 300, the encryption device 200 executes the Enc algorithm to generate a ciphertext c. In the case of the HPKEM scheme, the encryption device 200 also generates a session key K. Then, the encryption device 200 transmits the generated ciphertext c to the decryption device 300 through a network or the like. The attribute vectors x{right arrow over ( )}₁ to x{right arrow over ( )}_(L+1) (x{right arrow over ( )}_(i) (i=1, . . . , L+1)) may be public, or may be obtained by the encryption device 200 from the key generation device 100 or the decryption device 300.

(S203: Decryption Step)

Based on the master public key pk distributed by the key generation device 100 in (S101) and the secret key provided by the L-th level key delegation device 400 in (S201), the decryption device 300 executes the Dec algorithm to decrypt the ciphertext c received from the encryption device 200. As a result of decrypting the ciphertext c, the decryption device 300 obtains the session key K in the case of the HPKEM scheme, or obtains a message m in the case of the HPE scheme.

<4. Concepts for Implementing the HPKEM and HPE Schemes>

Concepts required for implementing the above-described algorithms of the HPKEM and HPE schemes will now be described.

The method for implementing the cryptographic processes will be described by using an example in which dual pairing vector spaces (DPVS) to be described later are constructed by direct products of asymmetric pairing groups. However, DPVS are not limited to those realized by direct products of asymmetric pairing groups. That is, the cryptographic processes to be described below can be implemented in DPVS constructed by other methods. Three typical examples of DPVS are discussed in Non-Patent Literature 17.

<4-1. Bilinear Pairing Groups>

Bilinear pairing groups (q, G₁, G₂, G_(T), g₁, g₂, g_(T)) will be described. The bilinear pairing groups (q, G₁, G₂, G_(T), g₁, g₂, g_(T)) are a tuple of three cyclic groups G₁, G₂ and G_(T) of order q. g₁ is a generator of G₁, and g₂ is a generator of G₂. The bilinear pairing groups (q, G₁, G₂, G_(T), g₁, g₂, g_(T)) satisfy the following condition of nondegenerate bilinear pairing:

(Condition: Nondegenerate Bilinear Pairing)

There exists a polynomial-time computable nondegenerate bilinear pairing shown in Formula 133.

e:

₁×

₂→

_(T)  [Formula 133]

That is, for every τε

₁, ηε

₂, \

e(sξ,tη)=e(μ,η)^(st) and

g _(T) =e(g ₁ ,g ₂)≠1

This is called symmetric bilinear pairing when G₁=G₂ (=: G), and asymmetric bilinear pairing when G₁≠G₂. Symmetric bilinear pairing can be constructed using supersingular (hyper) elliptic curves. On the other hand, asymmetric bilinear pairing can be constructed using any (hyper) elliptic curves. Asymmetric bilinear pairing can be constructed using, for example, ordinary elliptic curves.

<4-2. Vector spaces V and V*>

A cyclic group (1-dimensional space) is extended to a higher-dimensional (vector) space. That is, as shown in Formula 134, N-dimensional vector spaces V and V* are constructed by direct products of G₁ and G₂.

:= 1 × … × 1  N ,  * := 2 × … × 2  N , [ Formula   134 ]

where an element x of the space

is represented by an N-dimensional vector as

x:=(x ₁ g ₁ , . . . ,x _(N) g ₁), and

likewise, an element y of the space

is represented by an N-dimensional vector as

y:=(y ₁ g ₂ , . . . ,y _(N) g ₂),

where x_(i), y_(i)ε

_(q) for i=1, . . . , N.

<4-3. Canonical Dual bases A and A*>

Canonical bases A and A* of the N-dimensional vector spaces V and V* will be described.

Formula 135 shows the canonical bases A and A*.

:=(a ₁ , . . . ,a _(N)),  [Formula 135]

*:=(a* ₁ , . . . ,a* _(N)),  [Formula 135]

where a₁:=(g₁, 0, . . . , 0), a₂:=(0, g₁, 0, . . . , 0), . . . , a_(N):=(0, . . . , 0, g₁), a*₁:=(g₂, 0, . . . , 0), a*₂:=(0, g₂, 0, . . . , 0), . . . , a*_(N):=(0, . . . , 0, g₂),

The canonical bases A and A* satisfy the conditions shown in Formula 136.

e(a _(i) ,a* _(j))=g _(T) ^(ε) ^(i,j) i,jε{1, . . . ,N}  [Formula 136]

where δ: Kronecker δ (i.e., δ_(i,j)=1 if i=j and δ_(i,j)=0 if i≠j), g_(T):=e(g₁,g₂)≠1

That is, the canonical bases A and A* are dual orthonormal bases, and the spaces V and V* are dual vector spaces paired through the pairing operation e.

The statement that the canonical bases A and A* satisfy the conditions shown in Formula 136 will be further explained.

First, the equation e(a_(i), a*_(i))=g_(T) will be explained. To take an example, e(a₁, a*₁) will be computed. Based on a₁=(g₁, 0, . . . , 0) and a*₁=(g₂, 0, . . . , 0) as described above, it follows that: e(a₁, a*₁)=e(g₁, g₂)×e(0, 0)×, . . . , ×e(0, 0). Here, as described above, the equation e(g₁, g₂)=g_(T) holds. Also, based on e(0, 0)=e(0·g₁, 0·g₂)=e(g₁, g₂)⁰, it follows that: e(0, 0)=1. Thus, the equation e(a₁, a*₁)=g_(T) holds. The same computations also hold for other e(a_(i), a*_(i)), so that the equation e(a_(i), a*_(i))=g_(T) holds.

Next, the equation e(a_(i), a*_(j))=1 (i≠j) will be explained. To take an example, e(a₁, a*₂) will be computed. Based on a₁=(g₁, 0, . . . , 0) and a*₂=(0, g₂, 0, . . . , 0) as described above, it follows that: e(a₁, a*₂)=e(g₁, 0)×e(0, g₂)×e(0, 0)×, . . . , ×e(0, 0). Based on e(g₁, 0)=e(g₁, 0·g₂)=e(g₁, g₂)⁰, the equation e(g₁, 0)=1 holds. Likewise, the equation e(0, g₂)=1 holds. Also, as described above, the equation e(0, 0)=1 holds. Thus, the equation e(a_(i), a*_(j))=1 holds. The same computations also hold for other e(a_(i), a*_(j)), so that the equation e(a_(i), a*_(j))=1 holds.

Thus, the equations e(a_(i), a*_(i))=g_(T) and e(a_(i), a*_(j))=1 (i≠j) hold over the canonical bases A and A*.

<4-4. Pairing Operation>

A pairing operation e on the N-dimensional vector spaces V and V* is defined as shown in Formula 137.

e(x,y):=Π_(i=1) ^(N) e(x _(i) g ₁ ,y _(i) g ₂)  [Formula 137]

That is, the pairing operation e (x, y) on a vector x:=(x₁g₁, x₂g₁, . . . , x_(N)g₁) of the N-dimensional vector space V and a vector y:=(y₁g₂, y₂g₂, . . . , y_(N)g₂) of the N-dimensional vector space V* is defined as the product of pairing operations on respective elements of the vectors x and y. Then, based on the above-described condition of nondegenerate bilinear pairing, the pairing operation e (x, y) can be expressed as shown in Formula 138.

e(x,y):=Π_(i=1) ^(N) e(x _(i) g ₁ ,y _(i) g ₂)=e(g ₁ ,g ₂)^(Σ) ^(i=1) ^(N) ^(x) ^(i) ^(y) ^(i) =g _(T) ^({right arrow over (x)}·{right arrow over (y)})ε

_(T)  [Formula 138]

<4-5. Base Change>

A base change method for changing the canonical bases A and A* to other bases B and B* will be described. FIG. 10 is a diagram for explaining the base change method.

The canonical basis A of the space V is changed to another basis B:=(b₁, . . . , b_(N)) of the space V. Using a uniformly chosen linear transformation X shown in Formula 139, the canonical basis A of the space V is changed to another basis B of the space V as shown in Formula 140.

$\begin{matrix} {{X\text{:} = \left( x_{i,j} \right)}\overset{\mspace{20mu} U\mspace{20mu}}{\leftarrow}{{GL}\left( {N,_{q}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 139} \right\rbrack \\ {{b_{i} = {\sum\limits_{j = 1}^{N}\; {x_{i,j}a_{j}}}}{{i = 1},\ldots \mspace{14mu},N}{where}{\text{:}{= \left( {b_{1},\ldots \mspace{14mu},b_{N}} \right).}}} & \left\lbrack {{Formula}\mspace{14mu} 140} \right\rbrack \end{matrix}$

Here, GL stands for general linear. That is, GL is a general linear group, a set of square matrices with nonzero determinants, and a group under multiplication.

By using X, the basis B*:=(b*₁, . . . , b*_(N)) of the space V* can be efficiently computed from the canonical basis A* of the space V*. The basis B* of the space V* is computed by using X as shown in Formula 141.

b _(i)*=Σ_(j=1) ^(N) v _(i,j) a* _(j) i=1, . . . ,N

where (v_(i,j)):=(X^(T))⁻¹,

:=(b₁*, . . . , b_(N)*)

Here, Formula 142 holds.

e(b _(i) ,b* _(j))=g _(T) ^(ε) ^(i,j) i,jε{1, . . . ,N}  [Formula 142]

where ε: Kronecker ε (i.e., δ_(i,j)=1 if i=j and ε_(i,j)=0 if i≠j), g_(T):=e(g₁,g₂)≠1

That is, the bases B and B* are dual orthonormal bases of dual spaces V and V*. This means that even when the canonical bases A and A* are changed by using X, dual orthonormal bases are preserved.

<4-6. Distortion Maps>

A linear transformation, called a distortion map, for a generator x in the space V over the canonical basis A will be described.

A distortion map φ_(i, j) on the canonical basis A of the space V is a map shown in Formula 143.

If  _(i,j)(a _(j))=a _(i) and

k≠j, then φ_(i,j)(a _(k))=0.  [Formula 143]

Since Formula 144 holds, the distortion map φ_(i,j) can achieve the transformation shown in Formula 145.

$\begin{matrix} \begin{matrix} {{\varphi_{i,j}(x)} = {\varphi_{i,j}\left( {{x_{1}a_{1}} + {x_{2}a_{2}} + \ldots + {x_{N}a_{N}}} \right)}} \\ {= {\varphi_{i,j}\left( {x_{j}a_{j}} \right)}} \\ {= {x_{j}{\varphi_{i,j}\left( a_{j} \right)}}} \\ {= {x_{j}a_{j}}} \end{matrix} & \left\lbrack {{Formula}\mspace{14mu} 144} \right\rbrack \\ {{{{For}\mspace{14mu} x}:=\left( {{x_{1}g_{1}},\ldots \mspace{14mu},{x_{j}g_{1}},\ldots \mspace{14mu},{x_{N}g_{1}}} \right)},{{\varphi_{i,j}(x)}:=\overset{i - 1}{\overset{}{\left( {0,\ldots \mspace{14mu},0} \right.}}},{x_{j}g_{1}},\overset{N - i}{\overset{}{\left. {0,\ldots \mspace{20mu},0} \right)}}} & \left\lbrack {{Formula}\mspace{14mu} 145} \right\rbrack \end{matrix}$

That is, an element, namely a basis vector j, in the canonical basis A of the vector x can be transformed into another element, namely a basis vector i, in the canonical basis A. At this time, elements other than the basis vector j that is transformed all become 0. That is, in the vector x, the basis vector j becomes the basis vector i and other elements become 0.

A distortion map φ*_(i,j) on the canonical basis A* of the space V* can be represented in the same manner as the distortion map φ_(i,j) on the canonical basis A of the space V.

By using the distortion map φ_(i,j) (φ*_(i,j)), any linear transformation W, expressed as an N×N-matrix shown in Formula 146, for xεV can be efficiently computed by Formula 147.

(γ_(i,j))ε

_(q) N×N  [Formula 146]

W(x):=Σ_(i=1,j=1) ^(N,N)γ_(i,j)φ_(i,j)(x)  [Formula 147]

<5. Dual Pairing Vector Spaces (DPVS)>

Based on the concepts described in the above 4, dual pairing vector spaces (DPVS) will be described. The HPE and HPKEM schemes to be described later are implemented in DPVS.

DPVS (q, V, V*, G_(T), A, A*) include a prime order q, two N-dimensional vector spaces V and V* over F_(q), a cyclic group G_(T) of order q, a canonical basis A:=(a₁, . . . , a_(N−1)) of the space V, and a canonical basis A*:=(a*₁, . . . , a*_(N−1)) of the space V*. The DPVS (q, V, V*, G_(T), A, A*) satisfy the following three conditions: (1) there exists a nondegenerate bilinear pairing, (2) the canonical bases A and A* are dual orthonormal bases, and (3) there exist distortion maps.

(1) Nondegenerate Bilinear Pairing (See the Above 4-1.)

There exists a polynomial-time computable nondegenerate bilinear pairing e. That is, the first condition is that there exists a nondegenerate bilinear pairing e shown in Formula 148.

e:

×

*→

  [Formula 148]

That is, if e(sx,ty)=e(x,y)^(st) and e(x,y)=1 for all yε

, then x=0.

(2) Dual Orthonormal Bases (See the Above 4-2.)

The canonical bases A and A* of the spaces V and V* are dual orthonormal bases.

That is, the second condition is that the canonical bases A and A* of the spaces

V and V* satisfy the condition shown in Formula 149.

e(a _(i) ,a* _(j))=g _(T) ^(δ) ^(i,j) for every i and j,  [Formula 149]

where δ: Kronecker δ (i.e., δ_(i,j)=1 if i=j and δ_(i,j)=0 if i≠j), g_(T)≠1

^(T).

(3) Distortion Maps (See the Above 4-6.)

There exist polynomial-time computable distortion maps φ_(i,j) and φ*_(i,j).

That is, the third condition is that endomorphisms φ_(i,j) and φ*_(i,j) of the spaces V and V* shown in Formula 150 are polynomial-time computable.

If φ_(i,j)(a _(j))=a _(i) and

k≠j, then φ_(i,j)(a _(k))=0.

If φ*_(i,j)(a* _(j))=a* _(i) and

k≠j, then φ*_(i,j)(a* _(k))=0  [Formula 150]

By satisfying the third condition, it can also be stated that the spaces V and V* are dual spaces paired through the pairing operation e (see the above 4-2).

<6. Outline of A method for Implementing the HPKEM and HPE Schemes>

Based on the concepts (see the above 4) and the DPVS (see the above 5) described above, a method will be briefly described by which the above-mentioned cryptographic processing system 10 (see the above 3) implements the HPE and HPKEM schemes.

First, an outline of the PE scheme for inner-product predicates to be implemented by the cryptographic processing system 10 will be described. For simplicity of description, the notion of hierarchical will be omitted, and an outline of the PE scheme for inner-product predicates with only one level will be described.

The cryptographic processing system 10 implements the PE scheme for inner-product predicates in the DPVS (q, V, V*, G_(T), A, A*), where the spaces V and V* are (n+3)-dimensional spaces.

The key generation device 100 generates orthonormal bases B:=(b₁, b_(n+3)) and B*:=(b*₁, b*_(n+3)) from canonical bases A and A* by the base change method described in the above 4-5. The key generation device 100 generates a basis B̂:=(b₁, . . . , b_(n), d_(n+1), b_(n+3)) in which basis vectors b_(n+1) and b_(n+2) of the basis B:=(b₁, b_(n+3)) are replaced with a basis vector d_(n+1) which is the sum of the basis vectors b_(n+1) and b_(n+2). The basis B̂ is used as a master public key pk, and the basis B* is used as a master secret key sk. Further, the key generation device 100 generates a secret key k* from a predicate vector v{right arrow over ( )}(v{right arrow over ( )}=(v₁, . . . , v_(n))εF^(n) _(q) as shown in Formula 151, and secretly transmits the secret key k* to the decryption device 300.

$\begin{matrix} {{{k^{*}\text{:} = {\sigma \left( {{v_{1}b_{1}^{*}} + \ldots + {v_{n}b_{n}^{*}}} \right)}} + {\eta \; b_{n + 1}^{*}} + {\left( {1 - \eta} \right)b_{n + 2}^{*}}}{where}{\sigma,{\eta \overset{\mspace{20mu} U\mspace{20mu}}{\leftarrow}{_{q}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 151} \right\rbrack \end{matrix}$

The encryption device 200 generates two ciphertexts c₁ and c₂ from an attribute vector x{right arrow over ( )}(x{right arrow over ( )}=(x₁, . . . , x_(n))εF^(n) _(q) and a message m. The ciphertexts c₁ and c₂ are generated as shown in Formula 152.

$\begin{matrix} {{{{c_{1}\text{:} = {\delta_{1}\left( {{x_{1}b_{1}} + \ldots + {x_{n}b_{n}}} \right)}} + {\zeta \; d_{n + 1}} + {\delta_{2}b_{n + 3}}},{{c_{2}\text{:}} = {g_{T}^{\zeta}m}}}{where}{\delta_{1},\delta_{2},\left. \zeta\leftarrow{_{q}.} \right.}} & \left\lbrack {{Formula}\mspace{14mu} 152} \right\rbrack \end{matrix}$

Based on the ciphertexts c₁ and c₂ and the secret key k*, the decryption device 300 computes Formula 153 to extract the message m.

m:=c ₂ /e(c ₁ ,k*)  [Formula 153]

If v{right arrow over ( )}·x{right arrow over ( )}=0, the decryption device 300 can obtain the message m by computing Formula 153 as shown in Formula 154.

$\begin{matrix} \begin{matrix} {{e\left( {c_{1},k^{*\;}} \right)} = \begin{pmatrix} {\prod\limits_{i = 1}^{n}\; {{{e\left( {{\delta_{1}x_{i}b_{i}},{\sigma \; v_{i}b_{i}^{*}}} \right)} \cdot e}{\left( {{\zeta \; b_{n + 1}},{\eta \; b_{n + 1}^{*}}} \right) \cdot}}} \\ {e\left( {{\zeta \; b_{n + 2}},{\left( {1 - \eta} \right)b_{n + 2}^{*}}} \right)} \end{pmatrix}} \\ {= g_{T}^{{\delta_{1}{\sigma {({\sum\limits_{i = 1}^{n}{x_{i}v_{i}}})}}} + {\zeta \; \eta} + {\zeta {({1 - n})}}}} \\ {= g_{T}^{\zeta}} \end{matrix} & \left\lbrack {{Formula}\mspace{14mu} 154} \right\rbrack \end{matrix}$

Next, an outline of the PE scheme for inner-product predicates with hierarchical delegation capability, that is the HPE scheme for inner-product predicates, will be described using a simple example. The example employs 9-dimensional spaces, each space having six dimensions (three levels, each having two dimensions) which are used for predicate vectors and attribute vectors and three other dimensions. That is, the spaces V and V* are 9-dimensional spaces. Hence, a master public key includes a base B̂:=(b₁, . . . , b₆, d₇, b₉), where d₇:=b₇+b₈. A master secret key includes a basis B*: (b*₁, b*₉).

In the following description, a subscript “dec” stands for “decryption” and indicates a key vector used for decrypting a ciphertext. A subscript “ran” stands for “randomization” and indicates a randomizing vector for randomizing the coefficient of a predetermined basis vector of a lower level key. A subscript “del” stands for “delegation” and indicates a key-generation vector for generating a lower level key vector.

Ciphertexts c₁ and c₂ are generated by attribute vectors (x{right arrow over ( )}₁, x{right arrow over ( )}₂, x{right arrow over ( )}₃)=((x₁, x₂), (x₃, x₄), (x₅, x₆)) and a message m, as shown in Formula 155.

$\begin{matrix} {{{{c_{1}\text{:} = {\delta_{1}\left( {{x_{1}b_{1}} + {x_{2}b_{2}}} \right)}} + \ldots + {\delta_{3}\left( {{x_{5}b_{5}} + {x_{6}b_{6}}} \right)} + {\zeta \; d_{7}} + {\delta_{4}b_{9}}},\mspace{20mu} {{c_{2}\text{:}} = {g_{T}^{\zeta}m}}}\mspace{20mu} {where}\mspace{20mu} {\delta_{1},\ldots \mspace{14mu},\delta_{4},{\zeta \overset{\mspace{20mu} U\mspace{20mu}}{\leftarrow}{_{q}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 155} \right\rbrack \end{matrix}$

If the attribute vector is of a higher level such as x{right arrow over ( )}₁=(x₁, x₂), the attribute vector is modified as shown in Formula 156.

$\begin{matrix} {{{{\overset{\rightarrow}{x}}^{+}\text{:}} = \left( {\left( {x_{1},x_{2}} \right),\left( {x_{3}^{+},x_{4}^{+}} \right),\left( {x_{5}^{+},x_{6}^{+}} \right)} \right)}{{{where}\left( {x_{3}^{+},x_{4}^{+},x_{5}^{+},x_{6}^{+}} \right)}\overset{\mspace{20mu} U\mspace{20mu}}{\leftarrow}{_{q}^{4}.}}} & \left\lbrack {{Formula}\mspace{14mu} 156} \right\rbrack \end{matrix}$

That is, the ciphertext c₁ generated by the attribute vector x{right arrow over ( )}₁ is generated as the ciphertext c₁ generated by the attribute vector x{right arrow over ( )}⁺ shown in Formula 156.

A first level secret key k{right arrow over ( )}*=(k*_(1,dec), k(_(1,ran,1), k*_(1,ran,2), k*_(1,del,3), . . . , k*_(1,del,6)) generated based on a first level predicate vector v{right arrow over ( )}₁:=(v₁, v₂)εF² _(q) consists of three types of elements: k*_(1,dec), (k*_(1,ran,1), k*_(1,ran,2)), and (k*_(1,del,3), . . . , k*_(1,del,6)). k*_(1,dec) is a key vector used for decrypting a ciphertext. (k*_(1,ran,1), k*_(1,ran,2)) are randomizing vectors for randomizing the coefficient of a predetermined basis vector of a lower level key vector. (k*_(1,del,3), . . . , k*_(1,del,6)) are key-generation vectors for generating a lower level key vector. k*_(1,dec), (k*_(1,ran,1), k*_(1,ran,2)), and (k*_(1,del,3), . . . , k*_(1,del,6)) are generated as shown in Formula 157.

$\begin{matrix} {{{k_{1,{dec}}^{*}:={{\sigma_{1,0}\left( {{v_{1}b_{1}^{*}} + {v_{2}b_{2}^{*}}} \right)} + {\eta_{0}b_{7}^{*}} + {\left( {1 - \eta_{0}} \right)b_{8}^{*}}}},{k_{1,{ran},j}^{*}:={{\sigma_{1,j}\left( {{v_{1}b_{1}^{*}} + {v_{2}b_{2}^{*}}} \right)} + {\eta_{j}b_{7}^{*}} - {\eta_{j}{b_{8}^{*}\left( {{j = 1},2} \right)}}}},{k_{1,{del},j}^{*}:={{\sigma_{1,j}\left( {{v_{1}b_{1}^{*}} + {v_{2}b_{2}^{*}}} \right)} + {\psi \; b_{j}^{*}} + {\eta_{j}b_{7}^{*}} - {\eta_{j}{b_{8}^{*}\left( {{j = 3},\ldots \mspace{14mu},6} \right)}}}}}{where}{\sigma_{1,j},\eta_{j},{\psi \overset{\mspace{20mu} U\mspace{20mu}}{\leftarrow}{{_{q}\left( {{j = 0},\ldots \mspace{14mu},6} \right)}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 157} \right\rbrack \end{matrix}$

If the attribute vectors used in generating the ciphertext c₁ is ((x₁, x₂), (*, *), (*, *)) such that (x₁, x₂)·(v₁, v₂)=0, then Formula 158 holds. Hence, k*_(1,0) can decrypt the ciphertexts c₁ and c₂ by computing Formula 159.

e(c ₁ ,k* _(1,dec))=g _(T) ^(ζ)  [Formula 158]

c ₂ /e(c ₁ ,k _(1,0)*)  [Formula 159]

A second level secret key k{right arrow over ( )}*₂:=(k*_(2,dec), k*_(2,ran,2), k*_(2,ran,3), k*_(2,del,5), k*_(2,del,6)) is generated by a second level predicate vector v{right arrow over ( )}₂:=(v₃, v₄).

To generate k*_(2,dec), σ_(2,0) (v₃k*_(1,del,3)+v₄k*_(1,del,4)) is added to k*_(1,dec). To generate k*_(2,ran,j), σ_(2,j) (v₃k*_(1,del,3)+v₄k*_(1,del,4)) is added to 0 (j=1, 2, 3). To generate k*_(2,del,j), σ_(2,j) (v₃k*_(1,del,3)+v₄k*_(1,del,4)) is added to ψ⁺k*_(1,del,j) (j=5, 6). Here, σ_(2,j) (j=0, 1, 2, 3, 5, 6) and ψ⁺ are uniformly selected values.

Further, the coefficients of (v₁b*₁+v₂b*₂), b*₇, and b*₈ of the second level secret key are randomized (uniformly distributed). Hence, to generate k*_(2,dec), (α_(0,1)k*_(1,ran,1)+α_(0,2)k*_(1,ran,2)) is also added. To generate k*_(2,ran,j), (α_(j,1)K*_(1,ran,1)+α_(j,2)k*_(1,ran,2)) is added (j=1, 2, 3). To generate, k*_(2,del,j), (α_(j,1)k*_(1,ran,1)+α_(j,2)k*_(1,ran,2)) is added (j=5, 6). Here α_(j,1) and α_(j,2) (j=0, 1, 2, 3, 5, 6) are uniformly selected values.

To summarize, the second level secret key key k{right arrow over ( )}*₂:=(k*_(2,dec), k*_(2,ran,1) k*_(2,ran,2), k*_(2,ran,3), k*_(2,del,5), k*_(2,del,6)) is generated as shown in Formula 160.

 [ Formula   160 ] k 2 , dec * := k 1 , dec * + ( α 0 , 1  k 1 , ran , 1 * + α 0 , 2  k 1 , ran , 2 * ) + σ 2 , 0  ( v 3  k 1 , del , 3 * + v 4  k 1 , del , 4 * ) ,   k 2 , ran , j * := ( α j , 1  k 1 , ran , 1 * + α j , 2  k 1 , ran , 2 * ) + σ 2 , j  ( v 3  k 1 , del , 3 * + v 4  k 1 , del , 4 * )    ( j = 1 , 2 , 3 ) ,  k 2 , del , j * := ψ + k 1 , del , j * + ( α j , 1  k 1 , ran , 1 * + α j , 2  k 1 , ran , 2 * ) + σ 2 , j  ( v 3  k 1 , del , 3 * + v 4  k 1 , del , 4 * )    ( j = 5 , 6 )    where    α j , 1 , α j , 2 , σ 2 , j , ψ +  U  q    ( j = 0 , 1 , 2 , 3 , 5 , 6 ) .

k*_(2,dec) is a key vector used for decrypting a ciphertext. (k*_(2,ran,1), k*_(2,ran,2), k*_(2,ran,3)) are randomizing vectors for randomizing the coefficient of a predetermined basis vector of a lower level key vector. (k*_(2,del,5), k*_(2,del,6)) are used for generating a lower level key.

In general, in an L-th level secret key k{right arrow over ( )}_(L):=(k*_(L,dec), k*_(L,ran,j), k*_(L,del,j)), k*_(L,dec) is a key vector used for decrypting a ciphertext. k*_(L,ran,j) is a randomizing vector for randomizing the coefficient of a predetermined basis vector of a lower level key vector. k*_(L,del,j) is a key-generation vector for generating a lower level key vector.

Second Embodiment

In this embodiment, based on the concepts described in the first embodiment, the cryptographic processing system 10 that implements the HPE scheme will be described.

Referring to FIGS. 11 to 16, functions and operations of the cryptographic processing system 10 according to the second embodiment will be described.

FIG. 11 is a functional block diagram showing the functions of the cryptographic processing system 10 that implements the HPE scheme. As described above, the cryptographic processing system 10 includes the key generation device 100, the encryption device 200, the decryption device 300, and the key delegation device 400. It is also assumed in this embodiment that the decryption device 300 includes the key delegation device 400.

FIG. 12 is a flowchart showing operations of the key generation device 100. FIG. 13 is a flowchart showing operations of the encryption device 200. FIG. 14 is a flowchart showing operations of the decryption device 300. FIG. 15 is a flowchart showing operations of the key delegation device 400.

FIG. 16 is a conceptual diagram showing a structure of a basis of dual pairing vector spaces (DPVS).

The functions and operations of the key generation device 100 will be described. The key generation device 100 includes a master key generation unit 110, a master key storage unit 120, a key vector generation unit 130, a randomizing vector generation unit 140, a key-generation vector generation unit 150, and a key distribution unit 160.

(S301: Master Key Generation Step)

Using the processing device, the master key generation unit 110 computes Formula 161 to generate a master public key pk and a master secret key sk, and stores the generated keys in the master key storage unit 120.

[ Formula   161 ] N := n + 3 , ( q , , * , T , , * )   R  dpvs  ( 1 λ , N ) ( 1 ) X := ( χ i , j )   U  GL  ( N , q ) ( 2 ) b i = ∑ j = 1 N  χ i , j  a j ,  := ( b 1 , …  , b N ) ( 3 ) d n + 1 := b n + 1 + b n + 2 ,  := ( b 1 , …  , b n , d n + 1 , b n + 3 ) ( 4 ) ( υ i , j ) := ( X T ) - 1 ( 5 ) b i * = ∑ j = 1 N  υ i , j  a j * ,  * := ( b 1 * , …  , b N * ) ( 6 ) sk := ( X , * ) , pk := ( 1 λ , q , , * , T , , * , )   return   sk , pk ( 7 )

That is: (1) using the processing device, the master key generation unit 110 generates N(=n+3)-dimensional DPVS (q, V, V*, G_(T), A, A*) with a security parameter 1^(λ). G_(dpvs) is a DPVS generation algorithm that takes as input 1^(λ) and N, and outputs DPVS (q, V, V*, G_(T), A, A*) with the security parameter 1^(λ) and N-dimensional spaces.

(2) Using the processing device, the master key generation unit 110 randomly selects a linear transformation X in order to generate a basis B from a canonical basis A.

(3) Using the processing device and based on the selected linear transformation X, the master key generation unit 110 generates the basis B:=(b₁, b_(N)) from the basis A:=(a₁, a_(N)).

(4) Using the processing device, the master key generation unit 110 generates a basis vector B̂:=(b₁, . . . , b_(n), d_(n+1), b_(n+3)) in which basis vectors b_(n+1) and b_(n+2) of the basis B are replaced with a basis vector d_(n+1) which is the sum of the basis vectors b_(n+1) and b_(n+2).

(5) Using the processing device, the master key generation unit 110 generates a linear transformation (X^(T))⁻¹ from the linear transformation X in order to generate a basis B*:=(b*₁, . . . , b*_(N)) from a basis A*:=(a*₁, . . . , a*_(N)).

(6) Using the processing device and based on the generated linear transformation (X^(T))⁻¹, the master key generation unit 110 generates the basis B*:=(b*₁, . . . , b*_(N)) from the basis A*.

(7) The master key generation unit 110 designates the generated linear transformation X and basis B*as the master secret key sk, and (1^(λ), q, V, V*, G_(T), A, A*, B̂) including the generated basis B̂ as the master public key pk. The master key storage unit 120 stores in a storage device the master public key pk and the master secret key sk generated by the master key generation unit 110.

It is assumed that there are an N (=n+3) number of dimensions in the DPVS, where n denotes the number of bases assigned to represent the hierarchical structure of the format of hierarchy μ{right arrow over ( )}. That is, in addition to the n number of bases assigned to represent the hierarchical structure, three basis vectors are provided. The number of basis vectors may, of course, be increased further.

As shown in FIG. 16, the n number of basis vectors out of the N (=n+3) number of basis vectors are assigned for the predicate vectors and attribute vectors. The structure of the basis vectors assigned for the predicate vectors and attribute vectors is the same as the structure shown in FIG. 6. Two of the three remaining basis vectors (the (n+1)-th and (n+2)-th basis vectors) are used for information for generating a session key. The remaining one of the three remaining basis vectors (the (n+3)-th basis vector) is used for randomizing a ciphertext c₁.

To summarize, in (S301), the master key generation unit 110 executes the Setup algorithm shown in Formula 162 to generate the master public key pk and the master secret key sk.

 [ Formula   162 ] Setup  ( 1 λ , μ -> := ( n , d ; μ 1 , …  , μ d ) ) : ( param , , * )   R  ob  ( 1 λ , n + 3 ) ,   d n + 1 := b n + 1 + b n + 2 , := ( b 1 , …  , b n , d n + 1 , b n + 3 ) ,   return   sk := ( X , * ) , pk := ( 1 λ , param , ) .   where   ob  ( 1 λ , N ) : param := ( q , , * , T ,  q ) , ( υ i , j ) := ( X T ) - 1 ,   b i = ∑ j = 1 N  χ i , j  a j , := ( b 1 , …  , b N ) ,   b i * = ∑ j = 1 N  υ i , j  a j * , * := ( b 1 * , …  , b N * ) ,   return   ( param , , * )

(S302: Key vector k*_(L,dec) Generation Step)

Using the processing device and based on the master public key pk, the master secret key sk, and predicate vectors (v{right arrow over ( )}₁, v{right arrow over ( )}_(L)) shown in Formula 163, the key vector generation unit 130 computes Formula 164 to generate a key vector k*_(L,dec) which is the first element of an L-th level (level L) secret key.

$\begin{matrix} \left\lbrack {{Formula}\mspace{14mu} 163} \right\rbrack & \; \\ {\left( {{\overset{\rightarrow}{v}}_{1},\ldots \mspace{14mu},{\overset{\rightarrow}{v}}_{L}} \right):=\left( {\left( {v_{1},\ldots \mspace{14mu},v_{\mu_{1}}} \right),\ldots \mspace{14mu},\left( {v_{\mu_{L - 1} + 1},\ldots \mspace{14mu},v_{\mu_{L}}} \right)} \right)} & \; \\ \left\lbrack {{Formula}\mspace{14mu} 164} \right\rbrack & \; \\ {\sigma_{0,i},{\eta_{0}\overset{\mspace{20mu} U\mspace{20mu}}{\leftarrow}{_{q}\; \left( {{i = 1},\ldots \mspace{14mu},L} \right)}}} & (1) \\ {k_{L,{dec}}^{*}:={{\sum\limits_{t = 1}^{L}\; {\sigma_{0,t}\left( {\sum\limits_{i = {\mu_{t - 1} + 1}}^{\mu_{t}}\; {v_{i}b_{i}^{*}}} \right)}} + {\eta_{0}b_{n + 1}^{*}} + {\left( {1 - \eta_{0}} \right)b_{n + 2}^{*}}}} & (2) \end{matrix}$

That is: (1) using the processing device, the key vector generation unit 130 generates random numbers σ_(0,i) (i=1, . . . , L) and η₀.

(2) Using the processing device, the key vector generation unit 130 sets each of the predicate vectors randomized by the generated random number σ_(0,t) as the coefficient of the basis vector b*_(i) (i=1, . . . , μ_(L)). That is, each of the predicate vectors is embedded in the coefficient of the basis vector b*_(i) (i=1, . . . , μ_(L)). Using the processing device, the key vector generation unit 130 sets the random number η₀ as the coefficient of the basis vector b*_(n+1), and sets a value obtained by subtracting the random number η₀ from 1 (1−η₀) as the coefficient of the basis vector b*_(n+2). That is, the coefficients of the basis vectors b*_(n+1) and b*_(n+2) are set such that the sum of the coefficients of the basis vectors b*_(n+1) and b*_(n+2) is 1. The key vector generation unit 130 thus generates the key vector k*_(L,dec).

(S303: Randomizing Vector k*_(L,ran,j) Generation Step)

Based on the master public key pk, the master secret key sk, and the predicate vectors (v{right arrow over ( )}₁, . . . , v{right arrow over ( )}_(L)) shown in Formula 163, the randomizing vector generation unit 140 computes Formula 165 to generate a randomizing vector k*_(L,ran,j) (j=1, . . . , L+1). The randomizing vector k*_(L,ran,j) (j=1, . . . , L+1) is a vector, in a lower level key, for uniformly distributing the coefficient of a basis vector in which each of predicate vectors is embedded. The randomizing vector k*_(L,ran,j) is the j-th element of the L-th level secret key.

$\begin{matrix} \left\lbrack {{Formula}\mspace{14mu} 165} \right\rbrack & \; \\ {\mspace{79mu} {\sigma_{j,i},{\eta_{j}\overset{\mspace{20mu} U\mspace{20mu}}{\leftarrow}{_{q}\mspace{20mu}\left( {{j = 1},\ldots \mspace{14mu},{{L + 1};{i = 1}},\ldots \mspace{14mu},L} \right)}}}} & (1) \\ {\mspace{79mu} {{{{vv}_{j}\text{:}} = {\sum\limits_{t = 1}^{L}\; {\sigma_{j,t}\left( {\sum\limits_{i = {\mu_{t - 1} + 1}}^{\mu_{t}}\; {v_{i}b_{i}^{*}}} \right)}}}\mspace{20mu} \left( {{j = 1},\ldots \mspace{14mu},{L + 1}} \right)}} & (2) \\ {\mspace{79mu} {{{dv}_{j}\text{:}} = {{\eta_{j}b_{n + 1}^{*}} - {\eta_{j}{b_{n + 2}^{*}\mspace{20mu}\left( {{j = 1},\ldots \mspace{14mu},{L + 1}} \right)}}}}} & (3) \\ {{k_{L,{ran},j}^{*}\text{:} = {vv}_{j}} + {{dv}_{j}\text{:} = {\sum\limits_{t = 1}^{L}\; {\sigma_{j,t}\left( {\sum\limits_{i = {\mu_{t - 1} + 1}}^{\mu_{t}}\; {v_{i}b_{i}^{*}}} \right)}}} + {\eta_{j}b_{n + 1}^{*}} - {\eta_{j}{b_{n + 2}^{*}\mspace{20mu}\left( {{j = 1},\ldots \mspace{14mu},{L + 1}} \right)}}} & (4) \end{matrix}$

That is, (1) using the processing device, the randomizing vector generation unit 140 generates random numbers σ_(j,i) (j=1, . . . , L+1; i=1, . . . , L) and η_(j) (j=1, . . . , L+1).

(2) Using the processing device, the randomizing vector generation unit 140 generates a vector vv_(j), for each j of j=1, . . . , L+1, by setting each of the predicate vectors randomized by the random number σ_(j,i) as the coefficient of the basis vector b*_(i) (i=1, . . . , μ_(L)). That is, each of the predicate vectors is embedded in the coefficient of the basis vector b*_(i) (i=1, . . . , μ_(L)).

(3) Using the processing device, the randomizing vector generation unit 140 generates a vector dv_(j), for each j of j=1, . . . , L+1, by setting the random number η_(j) as the coefficient of the basis vector b*_(n+1) and setting a value obtained by subtracting the random number η₀ from 0 (−η_(j)) as the coefficient of the basis vector b*_(n+2). That is, the coefficients of the basis vectors b*_(n+1) and b*_(n+2) are set such that the sum of the coefficients of the basis vectors b*_(n+1) and b*_(n+2) is 0.

(4) The randomizing vector generation unit 140 generates the randomizing vector k*_(L,ran,j) (j=1, . . . , L+1), for each j of j=1, . . . , L+1, by adding together the generated vectors vv_(j) and dv_(j).

(S304: Key-Generation Vector k*_(L,del,j) Generation Step)

Using the processing device and based on the master public key pk, the master secret key sk, and the predicate vectors (v{right arrow over ( )}₁, . . . , v{right arrow over ( )}_(L)) shown in Formula 163, the key-generation vector generation unit 150 computes Formula 166 to generate a key-generation vector k*_(L,del,j) (j=μ_(L)+1, . . . , n). The key-generation vector k*_(L,del,j)=μ_(L)+1, . . . , n) is a vector for generating a lower level secret key (lower level key vector). The key-generation vector k*_(L,del,j) is the j-th element of the L-th level secret key.

 [ Formula   166 ]  σ j , i  ψ , η j   U  q   ( j = μ L + 1 , …  , n ; i = 1 , …  , L ) ( 1 )  vv j := ∑ t = 1 L  σ j , t ( ∑ i = μ t - 1 + 1 μ t  v i  b i * )   ( j = μ L + 1 , …  , n ) ( 2 )  ψ   v j := ψ   b j *   ( j = μ L + 1 , …  , n ) ( 3 )  dv i := η j  b n + 1 * - η j  b n + 2 *   ( j = μ L + 1 , …  , n ) ( 4 ) k L , del , j * := vv j + ψ   v j + dv j := ∑ t = 1 L  σ j , t ( ∑ i = μ t - 1 + 1 μ t  v i  b i * ) + ψ   b j * + η j  b n + 1 * - η j  b n + 2 *   ( j = μ L + 1 , …  , n ) ( 5 )

That is, (1) using the processing device, the key-generation vector generation unit 150 generates random numbers σ_(j,i) (j=μ_(L)+1, . . . , n; i=1, . . . , L), ψ, and η_(j) (j=μ_(L)+1, . . . , n).

(2) Using the processing device, the key-generation vector generation unit 150 generates a vector vv_(j), for each j of j=μ_(L)+1, n, by setting each of the predicate vectors randomized by the random number σ_(j,t) as the coefficient of the basis vector b*_(i) (i=1, . . . , μ_(L)). That is, each of the predicate vectors is embedded in the coefficient of the basis vector b*_(i) (i=1, . . . ,μ_(L)).

(3) Using the processing device, the key-generation vector generation unit 150 generates a vector ψv_(j), for each j of j=μ_(L)+1, . . . , n, by setting the random number ψ was the coefficient of the basis vector b*_(j).

(4) Using the processing device, the key-generation vector generation unit 150 generates a vector dv_(j), for each j of j=μ_(L)1, . . . , n, by setting the random number η_(j) as the coefficient of the basis vector b*_(n+1) and setting a value obtained by subtracting the random number η₀ from 0 (−n_(j)) as the coefficient of the basis vector b*_(n+2). That is, the coefficients of the basis vectors b*_(n+1) and b*_(n+2) are set such that the sum of the coefficients of the basis vectors b*_(n+1) and b*_(n+2) is 0.

(5) The key-generation vector generation unit 150 generates the key-generation vector k*_(L,del,j) (j=μ_(L)1, . . . , n), for each j of j=μ_(L)+1, . . . , n, by adding together the vectors vv_(j), ψv_(j), and dv_(j).

To summarize, in (S302) to (S304), using the processing device, the key vector generation unit 130, the randomizing vector generation unit 140, and the key-generation vector generation unit 150 execute the GenKey algorithm shown in Formula 167. This generates the L-th level secret key (key information k{right arrow over ( )}*_(L)) including the key vector k*_(L,dec), the randomizing vector k*_(L,ran,j) (j=1, . . . , L+1), and the key-generation vector k*_(L,del,j) (j=μ_(L)1, . . . , n).

 [ Formula   167 ] GenKey  ( pk , sk , ( v -> 1 , …  , v -> L ) ) := ( ( v 1 , …  , v μ 1 ) , …  , ( v μ L - 1 + 1 , …  , v μ L ) ) : σ j , i , ψ , η j   U  q    for   j = 0 , …  , L + 1 , μ L + 1 , …  , n ;    i = 1 , …  , L    k L , dec * := ∑ t = 1 L  σ 0 , t ( ∑ i = μ t - 1 + 1 μ t  v i  b i * ) + η 0  b n + 1 * + ( 1 - η 0 )  b n + 2 * ,   k L , ran , j * := ∑ t = 1 L  σ j , t ( ∑ i = μ t - 1 + 1 μ t  v i  b i * ) + η j  b n + 1 * - η j  b n + 2 *    for   j = 1 , …  , L + 1 ,   k L , del , j * := ∑ t = 1 L  σ j , t ( ∑ i = μ t - 1 + 1 μ t  v i  b i * ) + ψ   b j * + η j  b n + 1 * - η j  b n + 2 *    for   j = μ L + 1 , …  , n ,  return   k -> L * := ( k L , dec * , k L , ran , 1 * , …  , k L , ran , L + 1 * , k L , del , μ L + 1 * , …  , k L , del , n * ) .

(S305: Key Distribution Step)

The key distribution unit 160 transmits the master public key generated by the master key generation unit 110 and the key information k{right arrow over ( )}*_(L) generated by the key vector generation unit 130, the randomizing vector generation unit 140, and the key-generation vector generation unit 150 to the decryption device 300 through the communication device. The key distribution unit 160 also transmits the master public key to the encryption device 200 through the communication device. The key information k{right arrow over ( )}*_(L) is secretly transmitted to the decryption device 300. Any method may be used to secretly transmit the key information k{right arrow over ( )}*_(L) to the decryption device 300. For example, the key information k{right arrow over ( )}*₁ may be transmitted using a prior art cryptographic process.

The functions and operations of the encryption device 200 will be described. The encryption device 200 includes a transmission information setting unit 210, a cipher vector generation unit 220, a cipher information generation unit 230, a data transmission unit 240, and a public key acquisition unit 250.

It is assumed that the public key acquisition unit 250 has obtained the master public key and the attribute information vectors corresponding to the predicate information vectors of the decryption device 300 before the steps to be described below.

(S401: Transmission Information Setting Step)

Using the processing device and based on the master public key pk, the transmission information setting unit 210 computes Formula 168 to generate a transmission information vector ζv.

[ Formula   168 ] ζ   U  q ( 1 ) ζ   v := ζ   d n + 1 ( 2 )

That is, (1) using the processing device, the transmission information setting unit 210 generates a random number ζ.

(2) Using the processing device, the transmission information setting unit 210 generates the transmission information vector ζy by setting the random number ζ as the coefficient of the basis vector d_(n+1) in the basis B̂included in the master public key pk.

(S402: Cipher Vector c₁ Generation Step)

Using the processing device and based on the master public key pk and attribute vectors (x{right arrow over ( )}₁, . . . , x{right arrow over ( )}_(L)) shown in Formula 169, the cipher vector generation unit 220 computes Formula 170 to generate a cipher vector c₁.

({right arrow over (x)} ₁ , . . . ,{right arrow over (x)} _(L)):=((x ₁ , . . . ,x _(μ) ₁ ), . . . ,(x _(μ) _(L−1) ₊₁ , . . . ,x _(μ) _(L) ))  [Formula 169]

 [ Formula   170 ] ( x -> L + 1 , …  , x -> d ) := ( ( x μ L + 1 , …  , x μ L + 1 ) , …  , ( x μ d - 1 + 1 , …  , x μ d ) )   U  q  μ L + 1 - μ L × … × q  n - μ d - 1 ,   δ 1 , …  , δ d , δ n + 3 , ζ   U  q ( 1 )  xv := ∑ t = 1 d  δ t ( ∑ i = μ t - 1 + 1 μ t  x i  b i ) ( 2 ) rv := δ n + 3  b n + 3 ( 3 ) c 1 := xv + ζ   v + rv := ∑ t = 1 d  δ t ( ∑ i = μ t - 1 + 1 μ t  x i  b i ) + ζ   d n + 1 + δ n + 3  b n + 3 ( 4 )

That is, (1) using the processing device, the cipher vector generation unit 220 generates random numbers (x{right arrow over ( )}_(L+1), . . . , x{right arrow over ( )}_(d)) and δ_(i) (i=1, . . . , d, n+3).

(2) Using the processing device, the cipher vector generation unit 220 sets each of the attribute vectors as the coefficient of the basis vector b_(i) (i=1, . . . , μ_(L)) of the basis B included in the master public key pk. That is, each of the attribute vectors is embedded in the coefficient of the basis vector b_(i) (i=1, . . . , μ_(L)). Using the processing device, the cipher vector generation unit 220 sets the random number as the coefficient of the basis vector b_(i) (i=μ_(L)+1, . . . , n). The cipher vector generation unit 220 thus generates a vector xv.

(3) Using the processing device, the cipher vector generation unit 220 generates a vector rb by setting the random number δ_(n+3) as the coefficient of the basis vector b_(n+3) of the basis B included in the master public key pk.

(4) Using the processing device, the cipher vector generation unit 220 generates the cipher vector c₁ by adding the generated vectors xv and rv to the transmission information vector ζv generated by the transmission information setting unit 210.

The vector rv is added for enhancing security and is not a requisite element.

(S403: Cipher Information c₂ Generation Step)

Using the processing device and based on a message m, the cipher information generation unit 230 computes Formula 171 to generate cipher information c₂.

c ₂ :=g _(T) ^(ζ) m  [Formula 171]

where g_(T)=e(a_(i),a*_(i))≠1.

(S404: Data Transmission Step)

The data transmission unit 240 transmits the cipher vector c₁ generated by the cipher vector generation unit 220 and the cipher information c₂ generated by the cipher information generation unit 230 to the decryption device 300 through the communication device.

To summarize, the encryption device 200 executes the Enc algorithm shown in Formula 172 to generate the cipher vector c₁ and the cipher information c₂.

 [ Formula   172 ] Enc  ( pk , m ∈ T , ( x -> 1 , …  , x -> L ) := ( ( x 1 , …  , x μ 1 ) , …  , ( x μ L - 1 + 1 , …  , x μ L ) ) ) : ( x -> L + 1 , …  , x -> d )   U  q  μ L + 1 - μ L × … × q  n - μ d - 1 ,   δ 1 , …  , δ d , δ n + 3 , ζ   U  q ,   c 1 := ∑ t = 1 d  δ t ( ∑ i = μ t - 1 + 1 μ t  x i  b i ) + ζ   d n + 1 + δ n + 3  b n + 3 ,   c 2 := g T ζ  m ,   return   ( c 1 , c 2 ) .

The functions and operations of the decryption device 300 will be described. The decryption device 300 includes a vector input unit 310, a key vector storage unit 320, and a pairing operation unit 330.

(S501: Vector Input Step)

The vector input unit 310 receives through the communication device and inputs the cipher vector c₁ and the cipher information c₂ transmitted by the data transmission unit 240 of the encryption device 200.

(S502: Description Step)

Using the processing device and based on the master public key pk and the key vector k*_(L,dec) which is the first element of the L-th level secret key, the pairing operation unit 330 computes Formula 173 to generate a message m′.

m′:=c ₂ /e(c ₁ ,*k _(L,dec))  [Formula 173]

That is, using the processing device, the pairing operation unit 330 performs the pairing operation e on the cipher vector c₁ input by the vector input unit 310 and the key vector k*_(L,dec) stored in the storage device by the key vector storage unit 320. The pairing operation unit 330 thus computes g^(ζ) _(T). Then, by dividing the cipher information c₂ (=g^(ζ) _(T)m) by the computed g^(ζ) _(T), the message m′ (=m) is computed. When the key vector k*_(L,dec) is provided by the key generation device 100 or the key delegation device 400 of a higher level, the key vector storage unit 320 stores the key vector k*_(L,dec) in the storage device.

If L≦h holds for the attribute vector x{right arrow over ( )}_(i) (i=1, . . . , h) used by the encryption device 200 for encryption and the predicate vector v{right arrow over ( )}_(i) (i=1, . . . , L) used by the decryption device 300 for decryption and if x{right arrow over ( )}_(i)·v{right arrow over ( )}_(i)=0 for all i (i=1, . . . , L), then g^(ζ) _(t) can be obtained by performing the pairing operation e on the cipher vector c₁ and the key vector k*_(L,dec) as shown in Formula 174.

e(c ₁ ,k* _(L,dec))=g _(T) ^(Σ) ^(1≦i≦) ^(σ) ^(i) ^(δ) ^(i) ^({right arrow over (x)}) ^(i) ^(·{right arrow over (v)}) ^(i) ^(+ζ) =g _(T) ^(ζ)  [Formula 174]

To summarize; the decryption device 300 executes the Dec algorithm shown in Formula 175 to generate the message m′.

$\begin{matrix} {{{{{Dec}\left( {{pk},k_{L,{dec}}^{*\;},c_{1},c_{2}} \right)}:m^{\prime}}:={c_{2}/{e\left( {c_{1},k_{L,{dec}}^{*\;}} \right)}}},{{return}\mspace{14mu} {m^{\prime}.}}} & \left\lbrack {{Formula}\mspace{14mu} 175} \right\rbrack \end{matrix}$

The functions and operations of the key delegation device 400 will be described. The key delegation device 400 includes a key vector acquisition unit 410 (key-generation vector acquisition unit), a key vector generation unit 420, a randomizing vector generation unit 430, a key-generation vector generation unit 440, and a key distribution unit 450.

(S601: Key information K*_(L) Acquisition Step)

The key vector acquisition unit 410 obtains, through the communication device, the L-th level secret key (key information k{right arrow over ( )}*_(L)) including the key vector k*_(L,dec) which is the first element of the L-th level secret key, the randomizing vector k*_(L,ran,j) (j=1, . . . , L+1), and the key-generation vector k*_(L,del,j) (j=μ_(L)+1, . . . , n).

(S602: Key Vector k*_(L+1,dec) Generation Step)

Using the processing device and based on the master public key pk, the key information k{right arrow over ( )}*_(L), a predicate vector v{right arrow over ( )}′*_(L+1) shown in Formula 176, the key vector generation unit 420 computes Formula 177 to generate a key vector k*_(L+1,dec) which is the first element of an (L+1)-th level secret key.

{right arrow over (v)} _(L+1):=(v _(μ) _(L) ₊₁ , . . . ,v _(μ) _(L+1) )  [Formula 176]

[ Formula   177 ] α 0 , i , σ 0   U  q   ( i = 1 , …  , L + 1 ) ( 1 ) rv := ∑ i = 1 L + 1  α 0 , i  k L , ran , i * ( 2 ) vv := σ 0 ( ∑ i = μ L + 1 μ L + 1  v i  k L , del , i * ) ( 3 ) k L + 1 , dec * :=  k L , dec * + rv + vv :=  k L , dec * + ∑ i = 1 L + 1  α 0 , i  k L , ran , i * + σ 0 ( ∑ i = μ L + 1 μ L + 1  v i  k L , del , i * ) ( 4 )

That is: (1) using the processing device, the key vector generation unit 420 generates random numbers α_(0,i) (i=1, . . . , L+1) and σ₀.

(2) Using the processing device, the key vector generation unit 420 generates a vector rv by adding together vectors in which the coefficient of the randomizing vector k*_(L,ran,i) is multiplied by the random number α_(0,i) for each i of i=1, . . . , L+1. Each of the predicate vectors is embedded in the coefficient of the basis vector b*_(i) (i=1, . . . , μ_(L)) of the randomizing vector k*_(L,ran,i) (i=1, . . . , L+1). Thus, each of the predicate vectors multiplied by the random number is embedded in the coefficient of the basis vector b*_(i) (i=1, . . . , μ_(L)) of the vector rv.

(3) Using the processing device, the key vector generation unit 420 generates a vector vv by adding together vectors in which each vector of the predicate vectors v{right arrow over ( )}_(L+1) is set as the coefficient of the key-generation vector k*_(L,del,i) (i=μ_(L)+1, . . . , μ_(L+1)) and multiplying the sum by the random number σ₀. That is, each of the predicate vectors is embedded in the coefficient of the basis vector b*_(i) (i=μ_(L)+1, . . . , μ_(L+1)).

(4) Using the processing device, the key vector generation unit 420 generates the key vector k*_(L+1,dec) by adding together the key vector k*_(L,dec), the vector rv, and the vector vv.

(S603: Randomizing Vector k*_(L+1,ran,j) Generation Step)

Based on the master public key pk, the key information k{right arrow over ( )}*_(L), and the predicate vector v{right arrow over ( )}_(L+1) shown in Formula 176, the randomizing vector generation unit 430 computes Formula 178 to generate a randomizing vector k*_(L,ran,j) (j=1, L+2). The randomizing vector k*_(L,ran,j) (j=1, . . . , L+2) is a vector, in a lower level key, for uniformly distributing the coefficient of a basis vector in which each of predicate vectors is embedded. The randomizing vector k*_(L,ran,j) is the j-th element of the (L+1)-th level secret key.

[ Formula   178 ] α j , i , σ j   U  q   ( j = 1 , …  , L + 2 ; i = 1 , …  , L + 1 ) ( 1 ) rv j := ∑ i = 1 L + 1  α j , i  k L , ran , i *   ( j = 1 , …  , L + 2 ) ( 2 ) vv j := σ j ( ∑ i = μ L + 1 μ L + 1  v i  k L , del , i * )   ( j = 1 , …  , L + 2 ) ( 3 ) k L + 1 , ran , j * := rv j + vv j := ∑ i = 1 L + 1  α j , i  k L , ran , i * + σ j ( ∑ i = μ L + 1 μ L + 1  v i  k L , del , i * )    ( j = 1 , …  , L + 2 ) ( 4 )

That is, (1) using the processing device, the randomizing vector generation unit 430 generates random numbers α_(j,i) (j=1, . . . , L+2; i=1, . . . , L) and σ_(j) (j=1, . . . , L+2).

(2) Using the processing device, the randomizing vector generation unit 430 generates a vector rv_(j), for each j of j=1, L+2, by multiplying the coefficient of the randomizing vector k*_(L,ran,i) (i=1, . . . , L+1) by the random number α_(j,i) (i=1, . . . , L+1). As described above, each of the predicate vectors is embedded in the coefficient of the basis vector b*_(i) (i=1, . . . , μ_(L)) of the randomizing vector k*_(L,ran,i) (i=1, . . . , L+1). Thus, each of the predicate vectors multiplied by the random number is embedded in the coefficient of the basis vector b*_(i) (i=1, of the vector rv_(j).

(3) Using the processing device, the randomizing vector generation unit 430 generates a vector vv_(j), for each j of j=1, . . . , L+2, by adding together vectors in which each of the predicate vectors is set as the coefficient of the key-generation vector k*_(L,del,i) (i=μ_(L)+1, . . . , μ_(L+1)) and multiplying the sum by the random number σ_(j). That is, each of the predicate vectors is embedded in the coefficient of the basis vector b*_(i) (i=μ_(L)+1, μ_(L+1)).

(4) Using the processing device, the randomizing vector generation unit 430 generates the randomizing vector k*_(L+1,ran,j), for each j of j=1, . . . , L+2, by adding together the generated vectors rv_(j) and vv_(j).

(S604: Key-Generation Vector k*_(L+1,del,j) Generation Step)

Using the processing device and based on the master public key pk, the key information k{right arrow over ( )}*_(L), and the predicate vector v{right arrow over ( )}_(L+1) shown in Formula 176, the key-generation vector generation unit 440 computes Formula 179 to generate a key-generation vector k*_(L+1,del,j) (j=μ_(L+1)+1, . . . ,n). The key-generation vector k*_(L+1,del,j) (j=μ_(L+1)+1, . . . , n) is a vector for generating a lower level secret key (lower level key vector). The key-generation vector k*_(L+1,del,j) is the j-th element of the (L+1)-th level secret key.

[ Formula   179 ] α j , i , σ j , ψ ′   U  q   ( j = μ L + 1 + 1 , …  , n ; i = 1 , …  , L + 1 ) ( 1 ) rv j := ∑ i = 1 L + 1  α j , i  k L , ran , i *   ( j = μ L + 1 + 1 , …  , n ) ( 2 ) vv j := σ j ( ∑ i = μ L + 1 μ L + 1  v i  k L , del , i * )   ( j = μ L + 1 + 1 , …  , n ) ( 3 ) ψ   v j := ψ ′  k L , del , j *   ( j = μ L + 1 + 1 , …  , n ) ( 4 ) k L + 1 , del , j * :=  rv j + vv j + ψ   v j :=  ∑ i = 1 L + 1  α j , i  k L , ran , i * + σ j ( ∑ i = μ L + 1 μ L + 1  v i  k L , del , i * ) + ψ ′  k L , del , j *   ( j = μ L + 1 + 1 , …  , n ) ( 5 )

That is, (1) using the processing device, the key-generation vector generation unit 440 generates random numbers α_(j,i) (j=μ_(L+1)+1, n; i=1, . . . , L+1), σ_(j) j=μ_(L+1)+1, . . . , n) and ψ′.

(2) Using the processing device, the key-generation vector generation unit 440 generates a vector rv_(j), for each j of j=μ_(L+1)1, . . . , n, by multiplying the coefficient of the randomizing vector k*_(L,ran,i) (i=1, . . . , L+1) by the random number α_(j,i). As described above, each of the predicate vectors is embedded in the coefficient of the basis vector b*_(i) (i=1, . . . , μ_(L)) of the randomizing vector k*_(L,ran,i) (i=1, . . . , L+1). Thus, each of the predicate vectors multiplied by the random number is embedded in the coefficient of the basis vector b*_(i) (i=1, . . . , μ_(L)) of the vector rv_(j).

(3) Using the processing device, the key-generation vector generation unit 440 generates a vector vv_(j), for each j of j=μ_(L+1)1, . . . , n, by adding together vectors in which each of the predicate vectors is set as the coefficient of the key-generation vector k*_(L,del,i) (i=μ_(L)1, . . . , μ_(L+1)) and multiplying the sum by the random number σ_(j). That is, each of the predicate vectors is embedded in the coefficient of the basis vector b*_(i) (i=μ_(L)+1, . . . , μ_(L+1)).

(4) Using the processing device, the key-generation vector generation unit 440 generates a vector ψv_(j), for each j of j=μ_(L+1)+1, . . . , n, by multiplying the coefficient of the key-generation vector k*_(L,del,j) by the random number ψ′. Each of the predicate vectors is embedded in the coefficient of the basis vector b*_(j) (j=μ_(L+1)+1, . . . , n) of the key-generation vector k*_(L,del,j). Thus, each of the predicate vectors multiplied by the random number is embedded in the coefficient of the basis vector b*_(j) the vector ψv_(j) (j==μ_(L+1)1, . . . , n).

(5) Using the processing device, the key-generation vector generation unit 440 generates the key-generation vector k*_(L+1,del,j) (j=μ_(L+1)+1, . . . , n), for each j of j=μ_(L+1)+1, . . . , n, by adding together the generated vectors rv_(j), vv_(j), and ψv_(j).

To summarize, in (S602) to (S604), using the processing device, the key vector generation unit 420, the randomizing vector generation unit 430, and the key-generation vector generation unit 440 execute the Delegate_(L) algorithm shown in Formula 180 to generate the (L+1)-th level secret key (key information k{right arrow over ( )}_(L+1)) including the key vector k*_(L+1,dec), the randomizing vector k*_(L+1,ran,j) (j=1, . . . , L+2), and the key-generation vector k*_(L+1,del,j) (j=μ_(L+1)1, . . . , n).

 [ Formula   180 ] Delegate L  ( pk , k -> L * , v -> L + 1 := ( v μ L + 1 , …  , v μ L + 1 ) ) : α j , i , σ j  ψ ′   U  q    for   j = 0 , …  , L + 2 , μ L + 1 + 1 , …  , n ; i = 1 , …  , L + 1 ,   k L + 1 , dec * := k L , dec * + ∑ i = 1 L + 1  α 0 , i  k L , ran , i * + σ 0 ( ∑ i = μ L + 1 μ L + 1  v i  k L , del , i * ) ,   k L + 1 , ran , j * := ∑ i = 1 L + 1  α j , i  k L , ran , i * + σ j ( ∑ i = μ L + 1 μ L + 1  v i  k L , del , i * )    for   j = 0 , …  , L + 2 ,   k L + 1 , del , j * := ∑ i = 1 L + 1  α j , i  k L , ran , i * + σ j ( ∑ i = μ L + 1 μ L + 1  v i  k L , del , i * ) + ψ ′  k L , del , j *    for   j = μ L + 1 + 1 , …  , n ,   return   k -> L + 1 * := ( k L + 1 , dec * , k L + 1 , ran , 1 * , …  , k L + 1 , ran , L + 2 * , k L + 1 , del , μ L + 1 + 1 * , …   k L + 1 , del , n * )

(S605: Key Distribution Step)

The key distribution unit 440 transmits the key information k{right arrow over ( )}*_(L+1) generated by the key vector generation unit 420, the randomizing vector generation unit 430, and the key-generation vector generation unit 440 to the decryption device 300 of a lower level through the communication device. The key information k{right arrow over ( )}_(L+1) is secretly transmitted to the decryption device 300. Any method may be used to secretly transmit the key information k{right arrow over ( )}*_(L+1) to the decryption device 300. For example, the key information k{right arrow over ( )}*_(L+1) may be transmitted using a prior art cryptographic process.

As described above, the cryptographic processes to be implemented by the cryptographic processing system 10 have higher security than the cryptographic processes proposed in Non-Patent Literature 18, and security proof can be given in a standard model.

This is mainly because of the following two features (1) and (2).

(1) The basis vector d_(n+1) in which the encryption device 200 sets transmission information is 2-dimensional (basis vectors b_(n+1) and b_(n+2)). Because of this feature, the coefficients of the basis vectors b*_(n+1) and b*_(n+2) of the key vector k*_(L,dec) corresponding to the basis vector d_(n+1) can be randomly selected. Only the basis vector d_(n+1) is published, and the basis vectors b_(n+1) and b_(n+2) are kept secret.

(2) The key delegation device 400 generates a lower level key by using a randomizing vector. Because of this feature, the coefficient of a predetermined basis vector of the lower level key can be randomized. As a result, the security of a key is not compromised by generating its lower level key.

When the randomizing vector is not used, two lower level key vectors k*_(L+1,dec) (A) and k*_(L+1,dec) (B) generated from the key information k{right arrow over ( )}*_(L) are constructed as shown in Formula 181.

$\begin{matrix} {{{k_{{L + 1},{dec}}^{*}(A)}:={{k_{L,{dec}}^{*} + {\sigma_{A}\left( {\sum\limits_{i = {\mu_{L} + 1}}^{\mu_{L + 1}}{v_{i}k_{L,{del},i}^{*\;}}} \right)}}:={{\sum\limits_{t = 1}^{L}{\sigma_{0,t}\left( {\sum\limits_{i = {\mu_{t - 1} + 1}}^{\mu_{t}}{v_{i}b_{i}^{*}}} \right)}} + {\sigma_{A}\left( {\sum\limits_{i = {\mu_{L} + 1}}^{\mu_{L + 1}}{v_{i}k_{L,{del},i}^{*}}} \right)} + {\eta_{0}b_{n + 1}^{*}} + {\left( {1 - \eta_{0}} \right)b_{n + 2}^{*}}}}}{{k_{{L + 1},{dec}}^{*}(B)}:={{k_{L,{dec}}^{*} + {\sigma_{B}\left( {\sum\limits_{i = {\mu_{L} + 1}}^{\mu_{L + 1}}{v_{i}k_{L,{del},i}^{*\;}}} \right)}}:={{\sum\limits_{t = 1}^{L}{\sigma_{0,t}\left( {\sum\limits_{i = {\mu_{t - 1} + 1}}^{\mu_{t}}{v_{i}b_{i}^{*}}} \right)}} + {\sigma_{B}\left( {\sum\limits_{i = {\mu_{L} + 1}}^{\mu_{L + 1}}{v_{i}k_{L,{del},i}^{*}}} \right)} + {\eta_{0}b_{n + 1}^{*}} + {\left( {1 - \eta_{0}} \right)b_{n + 2}^{*}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 181} \right\rbrack \end{matrix}$

That is, when the randomizing vector is not used, the coefficient of the basis vector b*_(i) (i=1, . . . , μ_(L)) included in the key vector k*_(L,dec) and in which predicate information is embedded is the same between the key vectors k*_(+1,dec) (A) and k*_(L+1,dec) (B).

However, when the randomizing vector is used, the two lower level key vectors k*_(L+1,dec) (A) and k*_(L+1,dec) (B) generated from the key information k{right arrow over ( )}→_(L) are constructed as shown in Formula 182.

$\begin{matrix} {{k_{{L + 1},{dec}}^{*}(A)}:={{k_{L,{dec}}^{*} + {\sum\limits_{i = 1}^{L + 1}{\alpha_{A,i}k_{L,{ran},i}^{*\;}}} + {\sigma_{A}\left( {\sum\limits_{i = {\mu_{L} + 1}}^{\mu_{L + 1}}{v_{i}k_{L,{del},i}^{*\;}}} \right)}}:={{{\sum\limits_{t = 1}^{L}{\sigma_{0,t}\left( {\sum\limits_{i = {\mu_{t - 1} + 1}}^{\mu_{t}}{v_{i}b_{i}^{*}}} \right)}} + {\sum\limits_{i = 1}^{L + 1}{\alpha_{A,i}k_{L,{ran},i}^{*\;}}} + {\sigma_{A}\left( {\sum\limits_{i = {\mu_{L} + 1}}^{\mu_{L + 1}}{v_{i}k_{L,{del},i}^{*}}} \right)} + {\eta_{0}b_{n + 1}^{*}} + {\left( {1 - \eta_{0}} \right)b_{n + 2}^{*}{k_{{L + 1},{dec}}^{*}(B)}}}:={{k_{L,{dec}}^{*} + {\sum\limits_{i = 1}^{L + 1}{\alpha_{B,i}k_{L,{ran},i}^{*\;}}} + {\sigma_{B}\left( {\sum\limits_{i = {\mu_{L} + 1}}^{\mu_{L + 1}}{v_{i}k_{L,{del},i}^{*\;}}} \right)}}:={{\sum\limits_{t = 1}^{L}{\sigma_{0,t}\left( {\sum\limits_{i = {\mu_{t - 1} + 1}}^{\mu_{t}}{v_{i}b_{i}^{*}}} \right)}} + {\sum\limits_{i = 1}^{L + 1}{\alpha_{A,i}k_{L,{ran},i}^{*\;}}} + {\sigma_{B}\left( {\sum\limits_{i = {\mu_{L} + 1}}^{\mu_{L + 1}}{v_{i}k_{L,{del},i}^{*}}} \right)} + {\eta_{0}b_{n + 1}^{*}} + {\left( {1 - \eta_{0}} \right)b_{n + 2}^{*}}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 182} \right\rbrack \end{matrix}$

That is, when the randomizing vector is used, the randomizing vector k*_(L,ran,j) in which the coefficient is uniformly distributed by the random number λ_(A,i) is added to the key vector k*_(L+1,dec) (A). The randomizing vector k*_(L,ran,i) in which the coefficient is uniformly distributed by the random number α_(B,i) is added to the key vector k*_(L+1,dec) (B). The randomizing vector k*_(L,ran,i) includes the basis vector b*_(i) (i=1, . . . , μ_(L)). Thus, in the key vectors k*_(L+1,dec) (A) ^(and k*) _(L+1,dec) (B), the coefficient of the basis vector b*_(i) (i=1, . . . , μ_(L)) is uniformly distributed. That is, the coefficient of the basis vector b*_(i) (i=1, . . . , μ_(L)) in which predicate information is set is different between the key vectors k*_(L+1,dec) (A) and k*_(L+1,dec) (B).

In the above description, the basis vector d_(n+1) in which the encryption device 200 sets transmission information is 2-dimensional. However, the dimension of the basis vector d_(n+1) may be 3-dimensional or higher, i.e., m-dimensional (basis vector b_(n+1), . . . , basis vector b_(n+m)).

In this case, in (S301), the master key generation unit 110 operates with N=n+m+1. In the key vector k*_(L,dec) generation step (S302), the key vector generation unit 130 sets the coefficients of the basis vectors b_(n+1), . . . , and b_(n+m) such that the sum of the coefficients of the basis vectors b_(n+1), . . . , and b_(n+m) is 1. In the randomizing vector k*_(L,ran,j) generation step (S303), the randomizing vector generation unit 140 sets the coefficients of the basis vectors b_(n+1), . . . , and b_(n+m) such that the sum of the coefficients of the basis vectors b_(n+1), . . . , and b_(n+n), is 0. Likewise, in the key-generation vector k*_(L,del,j) generation step (S304), the key-generation vector generation unit 150 sets the coefficients of the basis vectors b_(n+1), . . . , and b_(n+m) such that the sum of the coefficients of the basis vectors b_(n+1), . . . , and b_(n+m) is 0. In the cipher vector c₁ generation step (S402), the cipher vector generation unit 220 generates the vector rv by setting a random number as the coefficient of the basis vector b_(n+m+1)

In the above description, the cryptographic processes are implemented in the N(=n+3)-dimensional vector spaces. For the cryptographic processes without delegation, n is an integer of 1 or larger. Accordingly, N is an integer of 4 or larger. For the cryptographic processes with delegation, n is an integer of 2 or larger. Accordingly, N is an integer of 5 or larger. As described above, in (S402), it is not essential that the encryption device 200 generates the vector rv by using the basis vector b_(n+3). When the vector rv is not generated, the cryptographic processes can be implemented in N(=n+2)-dimensional vector spaces. Thus, for the cryptographic processes without delegation, N is an integer of 3 or larger. For the cryptographic processes with delegation, N is an integer of 4 or larger.

In the cryptographic processes described above, distortion maps which have been described as one of the conditions of DPVS are not used. Distortion maps are used not in the algorithms for implementing the cryptographic processes, but for proving the security of the cryptographic processes. Thus, the cryptographic processes described above can be established in spaces without distortion maps. That is, it is not essential that there exist distortion maps in spaces for implementing the cryptographic processes described above. The same applies to the cryptographic processes to be described below.

The HPE scheme has been described above. The HPKEM scheme will now be described. Only portions of the HPKEM scheme that are different from the above HPE scheme will be described.

FIG. 17 is a functional block diagram showing functions of the cryptographic processing system 10 that implements the HPKEM scheme.

The processing steps of the key generation device 100 and the processing steps of the key delegation device 400 are the same as those of the HPE scheme described above. Thus, only the processing steps of the encryption device 200 and the processing steps of the decryption device 300 will be described.

FIG. 18 is a flowchart showing operations of the encryption device 200. FIG. 19 is a flowchart showing operations of the decryption device 300.

The functions and operations of the encryption device 200 will be described.

The encryption device 200 shown in FIG. 17 includes a session key generation unit 260, in addition to the functions included in the encryption device 200 shown in FIG. 11. The encryption device 200 shown in FIG. 17 does not include the cipher information generation unit 230 included in the encryption device 200 shown in FIG. 11. (S701) and (S702) are the same as (S401) and (S402).

In (S703: data transmission step), the cipher vector c₁ generated by the cipher vector generation unit 220 in (S702) is transmitted to the decryption device 300 through the communication device. That is, in the HPKEM scheme, cipher information c₂ in which a message m is embedded is not generated and is not transmitted to the decryption device 300.

In (S704: session key generation step), using the processing device, the session key generation unit 260 computes Formula 183 to generate a session key K.

K:g _(T) ^(ζ)  [Formula 183]

where g_(T)=e(a_(i),a*_(i))≠1.

To summarize, the encryption device 200 executes the Enc algorithm shown in Formula 184 to generate the cipher vector c₁ and the session key K.

 [ Formula   184 ] Enc  ( pk , ( x -> 1 , …  , x -> L ) := ( ( x 1 , …  , x μ 1 ) , …  , ( x μ L - 1 + 1 , …  , x μ L ) ) ) : ( x -> L + 1 , …  , x -> d )   U  q  μ L + 1 - μ L × … × q  n - μ d - 1 ,   δ 1 , …  , δ d , δ n + 3 , ζ   U  q ,   c 1 := ∑ t = 1 d  δ t ( ∑ i = μ t - 1 + 1 μ t  x i  b i ) + ζ   d n + 1 + δ n + 3  b n + 3 ,   K := g T ζ ,   return   ( c 1 , K ) .

The functions and operations of the decryption device 300 will be described.

The configuration of the functions of the decryption device 300 shown in FIG. 17 is the same as that of the decryption device 300 shown in FIG. 11.

(S801: Vector Input Step)

The vector input unit 310 receives through the communication device and inputs the cipher vector c₁ transmitted by the data transmission unit 240 of the encryption device 200.

(S802: Decryption Step)

Using the processing device and based on the master public key pk and the key vector k*_(L,dec) which is the first element of the L-th level secret key, the pairing operation unit 330 computes Formula 185 to generate a session key K.

K′:=e(c ₁ ,K* _(L,dec))  [Formula 185]

That is, using the processing device, the pairing operation unit 330 performs the pairing operation e on the cipher vector c₁ input by the vector input unit 310 and the key vector k*_(L,dec) stored in the storage device by the vector storage unit 320. The pairing operation unit 330 thus computes g^(ζ) _(T) (=K) which is a value concerning ζ embedded by the encryption device 200.

To summarize, the decryption device 300 executes the Dec algorithm shown in Formula 186 to generate the session key K′ (=K).

$\begin{matrix} {{{{{Dec}\left( {{pk},k_{L,{dec},c_{1}}^{*\;}} \right)}:K^{\prime}}:={e\left( {c_{1},k_{L,{dec}}^{*\;}} \right)}},{{return}\mspace{14mu} {K^{\prime}.}}} & \left\lbrack {{Formula}\mspace{14mu} 186} \right\rbrack \end{matrix}$

As described above, according to the HPKEM scheme, the session key K can be secretly transmitted from the encryption device 200 to the decryption device 300. This means that the session key can be shared between the encryption device 200 and the decryption device 300.

Third Embodiment

In a third embodiment, a PE scheme with delegation which is more generic than the HPE and HPKEM schemes described in the second embodiment will be described.

As described above, in the HPE and HPKEM schemes described in the second embodiment, basis vectors are used as shown in FIG. 16. That is, the n number of basis vectors out the (n+3) number of basis vectors are used to represent the hierarchical structure of the basis vectors for attribute vectors and predicate vectors. In particular, a first μ₁ number of basis vectors are used as the basis vectors for the first level attribute vectors and predicate vectors. A (μ₂−μ₁) number of basis vectors are used as the basis vectors for the second level attribute vectors and predicate vectors. Likewise, a (μ_(L)−μ_(L−1)) number of basis vectors are used as the basis vectors for the L-th level attribute vectors and predicate vectors.

The L-th level key vector k*_(L,dec) is computed as shown in Formula 164. That is, in the L-th level key vector k*_(L,dec), each of the predicate vectors is assigned as the coefficient of the basis vector b*_(i) (i=1, L), and 0 is assigned as the coefficient of the basis vector b*_(i) (i=L+1, . . . , n).

The L-th level cipher vector c₁ is computed as shown in Formula 170. That is, in the L-th level cipher vector c₁, each of the attribute vectors is assigned as the coefficient of the basis vector b_(i) (i=1, L), and the random number is assigned as the coefficient of the basis vector b_(i) (i=L+1, . . . , n).

With this arrangement, hierarchical delegation is implemented.

In the PE (PKEM) scheme to be described in the third embodiment, as in the second embodiment, the n number of basis vectors out of the (n+3) number of basis vectors are used as the basis vectors for attribute vectors and predicate vectors. However, for any key (regardless of level), all of the n number of basis vectors are used as the basis vectors for predicate vectors. That is, all of the n number of basis vectors are always used as the basis vectors for attribute vectors or predicate vectors.

In the key vector k*_(L,dec), each of the predicate vectors is assigned as the coefficient of the basis vector b*_(i) (i=1, . . . , n). In the L-th level cipher vector c₁, each of the attribute vectors is assigned as the coefficient of the basis vector b_(i) (i=1, . . . , n).

That is, there is no concept of hierarchical structure for the n number of basis vectors. There is also no concept of hierarchical delegation for secret keys. Therefore, more flexible delegation can be realized, compared to the cryptographic processes described in the second embodiment.

First, implementation of the PE scheme with delegation will be described.

FIG. 20 is a functional block diagram showing functions of the cryptographic processing system 10 that implements the PE scheme with delegation. The functions included in the cryptographic processing system 10 shown in FIG. 20 are the same as the functions included in the cryptographic processing system 10 shown in FIG. 11.

The flow of operations of the cryptographic processing system 10 for implementing the PE scheme with delegation according to the third embodiment are the same as the flow of operations of the cryptographic processing system 10 according to the second embodiment. Thus, the functions and operations of the cryptographic processing system 10 according to the third embodiment will be described with reference to FIGS. 20 and 12 to 16.

The functions and operations of the key generation device 100 will be described.

(S301: Master Key Generation Step)

As in (S301) of the second embodiment, using the processing device, the master key generation unit 110 computes Formula 187 to generate a master public key pk and a master secret key sk and stores the keys in the master key storage unit 120.

 [ Formula   187 ]  Setup  ( 1 λ , μ -> := n ) : ( param , , * )   R  ob  ( 1 λ , n + 3 ) ,   d n + 1 := b n + 1 + b n + 2 ,   := ( b 1 , …  , b n , d n + 1 , b n + 3 ) ,   return   sk := ( X , * ) ,   pk := ( 1 λ , param , ) .   where   ob  ( 1 λ , N ) : param := ( q , , * , T , , * )   R  dpvs  ( 1 λ , N ) ,   X := ( χ i , j )   U  GL ( N ,    b i = ∑ j = 1 N  χ i , j  a j , := ( b 1 , …  , b N ) ,   b i * = ∑ j = 1 N  υ i , j  a j * , * := ( b 1 * , …  , b N * ) ,   return   ( param , , * )

(S302: Key Vector k*_(L,dec) Generation Step)

Using the processing device and based on the master public key pk, the master secret key sk, and predicate vectors (v{right arrow over ( )}₁, . . . , v{right arrow over ( )}_(L)) shown in Formula 188, the key vector generation unit 130 computes Formula 189 to generate a key vector k*_(L,dec) which is the first element of an L-th level (level L) secret key.

[ Formula   188 ] ( v -> 1 , …  , v -> L ) := ( ( v 1 , 1 , …  , v 1 , n ) , …  , ( v L , 1 , …  , v L , n ) ) [ Formula   189 ] σ dec , t , η dec   U  q   ( t = 1 , …  , L ) ( 1 ) k L , dec * := ∑ t = 1 L  σ dec , t ( ∑ i = 1 n  v t , i  b i * ) + η dec  b n + 1 * + ( 1 - η dec )  b n + 2 * ( 2 )

(S303: Randomizing Vector k*_(L,ran,j) Generation Step)

Based on the master public key pk, the master secret key sk, and the predicate vectors (v{right arrow over ( )}₁, . . . , v{right arrow over ( )}_(L)) shown in Formula 188, the randomizing vector generation unit 140 computes Formula 190 to generate a randomizing vector k*_(L,ran,j) (j=1, . . . , L+1).

 [ Formula   190 ]  σ ran , j , t , η ran , j   U  q   ( j = 1 , …  , L + 1 ; t = 1 , …  , L ) ( 1 )  vv j := ∑ t = 1 L  σ ran , j , t ( ∑ i = 1 n  v t , i  b i * )   ( j = 1 , …  , L + 1 ) ( 2 )  dv j := η ran , j  b n + 1 * - η ran , j  b n + 2 *   ( j = 1 , …  , L + 1 ) ( 3 ) k L , ran , j * := vv j + dv j := ∑ t = 1 L  σ ran , j , t  ( ∑ i = 1 n  v t , i  b i * ) + η ran , j  b n + 1 * - η ran , j  b n + 2 *   ( j = 1 , …  , L + 1 ) ( 4 )

(S304: Key-Generation Vector k*_(L,del,j) Generation Step)

Using the processing device and based on the master public key pk, the master secret key sk, and the predicate vectors (v{right arrow over ( )}₁, . . . , v{right arrow over ( )}_(L)) shown in Formula 188, the key-generation vector generation unit 150 computes Formula 191 to generate a key-generation vector k*_(L,del,j) (j=1, . . . , n).

 [ Formula   191 ]  σ del , j , t , η del , j , ψ   U  q   ( j = 1 , …  , n ; t = 1 , …  , L ) ( 1 )  vv j := ∑ t = 1 L  σ del , j , t ( ∑ i = 1 n  v t , i  b i * )   ( j = 1 , …  , n ) ( 2 )  ψ   v j := ψ   b j *   ( j = 1 , …  , n ) ( 3 )  dv j := η del , j  b n + 1 * - η del , j  b n + 2 *   ( j = 1 , …  , n ) ( 4 ) k L , del , j * := vv j + ψ   v j + dv j := ∑ t = 1 L  σ del , j , t ( ∑ i = 1 n  v t , i  b i * ) + ψ   b j * + η del , j  b n + 1 * - η del , j  b n + 2 *   ( j = 1 , …  , n ) ( 5 )

To summarize, in (S302) to (S304), using the processing device, the key vector generation unit 130, the randomizing vector generation unit 140, and the key-generation vector generation unit 150 execute the GenKey algorithm shown in Formula 192. This generates the L-th level secret key (key information k{right arrow over ( )}*_(L)) including the key vector k*_(L,dec), the randomizing vector k*_(L,ran,j) (j=1, . . . , L+1), and the key-generation vector k*_(L,del,j) (j=1, . . . , n).

 [ Formula   192 ] GenKey  ( pk , sk , ( v -> 1 , …  , v -> L ) ) := ( ( v 1 , 1 , …  , v 1 , n ) , …  , ( v L , 1 , …  , v L , n ) ) : σ dec , t , η dec , σ ran , j , t , η ran , j  ( j = 1 , …  , L + 1 ) ,   σ del , j , t , η del , j  ( j = 1 , …  , n ) , ψ   U  q     for   t = 1 , …  , L ,   k L , dec * := ∑ t = 1 L  σ dec , t ( ∑ i = 1 n  v t , i  b i * ) + η dec  b n + 1 * + ( 1 - η dec )  b n + 2 * ,   k L , ran , j * := ∑ t = 1 L  σ ran , j , t ( ∑ i = 1 n  v t , i  b i * ) + η ran , j  b n + 1 * - η ran , j  b n + 2 *    for   j = 1 , …  , L + 1 ,   k L , del , j * := ∑ t = 1 L  σ del , j , t  ( ∑ i = 1 n  v t , i  b i * ) + ψ   b j * + η del , j  b n + 1 * - η del , j  b n + 2 *    for   j = 1 , …  , n ,   return   k -> L * := ( k L , dec * , k L , ran , 1 * , …  , k L , ran , L + 1 * , k L , del , 1 * , …  , k L , del , n * ) .

(S305: Key Distribution Step)

As in (S305) of the second embodiment, the key distribution unit 160 transmits the master public key generated by the master key generation unit 110 and the key information k{right arrow over ( )}*_(L) generated by the key vector generation unit 130, the randomizing vector generation unit 140, and the key-generation vector generation unit 150 to the decryption device 300 through the communication device. The key distribution unit 160 transmits the master public key to the encryption device 200 through the communication device.

The functions and operations of the encryption device 200 will be described.

(S401: Transmission Information Setting Step)

As in (S401) of the second embodiment, using the processing device and based on the master public key pk, the transmission information setting unit 210 computes Formula 193 to generate a transmission information vector ζv.

[ Formula   193 ] ζ   U  q ( 1 ) ζ   v := ζ   d n + 1 ( 2 )

(S402: Cipher vector c₁ Generation Step)

Using the processing device and based on the master public key pk and attribute vectors (x{right arrow over ( )}₁, . . . , x{right arrow over ( )}_(L)) shown in Formula 194, the cipher vector generation unit 220 computes Formula 195 to generate a cipher vector c₁.

[ Formula   194 ] ( x -> 1 , …  , x -> L ) := ( ( x 1 , 1 , …  , x 1 , n ) , …  , ( x L , 1 , …  , x L , n ) ) [ Formula   195 ] δ 1 , …  , δ L , δ n + 3 , ζ   U  q ( 1 ) xv := ∑ t = 1 L  δ t ( ∑ i = 1 n  x t , i  b i ) ( 2 ) rv := δ n + 3  b n + 3 ( 3 ) c 1 := xv + ζ   v + rv := ∑ t = 1 L  δ t ( ∑ i = 1 n  x t , i  b i ) + ζ   d n + 1 + δ n + 3  b n + 3 ( 4 )

(S403: Cipher Information c₂ Generation Step)

As in (S403) of the second embodiment, using the processing device and based on a message m, the cipher information generation unit 230 computes Formula 196 to generate cipher information c₂.

c ₂ :=g _(T) ^(ζ) m  [Formula 196]

(S404: Data Transmission Step)

As in (S404) of the second embodiment, the data transmission unit 240 transmits the cipher vector c₁ generated by the cipher vector generation unit 220 and the cipher information c₂ generated by the cipher information generation unit 230 to the decryption device 300 through the communication device.

To summarize, the encryption device 200 executes the Enc algorithm shown in Formula 197 to generate the cipher vector c₁ and the cipher information c₂.

 [ Formula   197 ] Enc  ( pk , m ∈ T , ( x -> 1 , …  , x -> L ) := ( ( x 1 , 1 , …  , x 1 , n ) , …  , ( x L , 1 , …  , x L , n ) ) ) : δ 1 , …  , δ L , δ n + 3 , ζ   U  q ,   c 1 := ∑ t = 1 L  δ t ( ∑ i = 1 n  x t , i  b i ) + ζ   d n + 1 + δ n + 3  b n + 3 ,   c 2 := g T ζ  m ,   return   ( c 1 , c 2 ) .

The functions and operations of the decryption device 300 will be described.

(S501: Vector Input Step)

As in (S501) of the second embodiment, the vector input unit 310 receives through the communication device and inputs the cipher vector c₁ and the cipher information c₂ transmitted by the data transmission unit 240 of the encryption device 200.

(S502: Decryption Step)

As in (S502) of the second embodiment, using the processing device and based on the master public key pk and the key vector k*_(L,dec) which is the first element of the L-th level secret key, the pairing operation unit 330 computes Formula 198 to generate a message m′.

m′=c ₂ /e(c ₁ ,k* _(L,dec))  [Formula 198]

If x{right arrow over ( )}_(i)·v{right arrow over ( )}_(j)=0 holds for the attribute vector (i=1, . . . , h) used by the encryption device 200 for encryption and the predicate vector v{right arrow over ( )}_(j) (j=1, . . . , L) of the key vector used by the decryption device 300 for decryption for every i of (i=1, . . . , h) and every j of (j=1, . . . , L), then the pairing operation unit 330 can generate the message m. It is assumed that the message mεG_(T).

To summarize, the decryption device 300 executes the Dec algorithm shown in Formula 199 to generate the message m′.

$\begin{matrix} {{{{{Dec}\left( {{pk},k_{L,{dec}}^{*\;},c_{1},c_{2}} \right)}:m^{\prime}}:={c_{2}/{e\left( {c_{1},k_{L,{dec}}^{*\;}} \right)}}},{{return}\mspace{14mu} {m^{\prime}.}}} & \left\lbrack {{Formula}\mspace{14mu} 199} \right\rbrack \end{matrix}$

The functions and operations of the key delegation device 400 will be described.

(S601: Key Information Acquisition Step)

As in (S601) of the second embodiment, the key vector acquisition unit 410 obtains through the communication device the L-th level secret key (key information k{right arrow over ( )}*_(L)) including the key vector k*_(L,dec) which is the first element of the L-th level secret key, the randomizing vector k*_(L,ran,j) (j=1, . . . , L+1), and the key-generation vector k*_(L,del,j) (j=1, . . . , n).

(S602: Key Vector k*_(L+1,dec) Generation Step)

Using the processing device and based on the master public key pk, the key information k{right arrow over ( )}*_(L), and a predicate vector v{right arrow over ( )}_(L+1) shown in Formula 200, the key vector generation unit 420 computes Formula 201 to generate a key vector k*_(L+1,dec) which is the first element of an (L+1)-th level secret key.

{right arrow over (v)} _(L+1):=(v _(L+1,1) , . . . ,v _(L+1,n))  [Formula 200]

 [ Formula   201 ]  α dec , t , σ dec   U  q   ( t = 1 , …  , L + 1 ) ( 1 )  rv := ∑ t = 1 L + 1  α dec , t  k L , ran , t * ( 2 )  vv := σ dec ( ∑ i = 1 n  v L + 1 , i  k L , del , i * ) ( 3 ) k L + 1 , dec * := k L , dec * + rv + vv := k L , dec * + ∑ t = 1 L + 1  α dec , t  k L , ran , t * + σ dec ( ∑ i = 1 n  v L + 1 , i  k L , del , i * ) ( 4 )

(S603: Randomizing vector k*_(L+1,ran,j) Generation Step)

Based on the master public key pk, the key information k{right arrow over ( )}*_(L), and the predicate vector v{right arrow over ( )}_(L+1) shown in Formula 200, the randomizing vector generation unit 430 computes Formula 202 to generate a randomizing vector k*_(L+1,ran,j) (j=1, . . . , L+2).

 [ Formula   202 ]  α ran , j , t , σ ran , j   U  q   ( j = 1 , …  , L + 2 ; t = 1 , …  , L + 1 ) ( 1 )  rv j := ∑ t = 1 L + 1  α ran , j , t  k L , ran , t *   ( j = 1 , …  , L + 2 ) ( 2 )  vv j := σ ran , j ( ∑ i = 1 n  v L + 1 , i  k L , del , i * )   ( j = 1 , …  , L + 2 ) ( 3 ) k L + 1 , ran , j * := rv j + vv j := ∑ t = 1 L + 1  α ran , j , t  k L , ran , t * + σ ran , j ( ∑ i = 1 n  v L + 1 , i  k L , del , i * )    ( j = 1 , …  , L + 2 ) ( 4 )

(S604: Key-Generation Vector k*_(L+1,del,j) Generation Step)

Using the processing device and based on the master public key pk, the key information k{right arrow over ( )}*_(L), and the predicate vector v{right arrow over ( )}_(L+1) shown in Formula 200, the key-generation vector generation unit 440 computes Formula 203 to generate a key-generation vector k*_(L+1,del,j)=1, . . . , n).

 [ Formula   203 ]  α del , j , t , σ del , j , ψ ′   U  q   ( j = 1 , …  , n ; i = 1 , …  , L + 1 ) ( 1 )  rv j := ∑ t = 1 L + 1  α del , j , t  k L , del , t *   ( j = 1 , …  , n ) ( 2 )  vv j := σ del , j ( ∑ i = 1 n  v L + 1 , i  k L , del , i * )   ( j = 1 , …  , n ) ( 3 )  ψ   v j := ψ ′  k L , del , j *   ( j = 1 , …  , n ) ( 4 ) k L + 1 , del , j * := rv j + vv j + ψ   v j := ∑ t = 1 L + 1  α del , j , t  k L , del , t * + σ del , j ( ∑ i = 1 n  v L + 1 , i  k L , del , i * ) + ψ ′  k L , del , j *   ( j = 1 , …  , n ) ( 5 )

To summarize, in (S602) to (S604), using the processing device, the key vector generation unit 420, the randomizing vector generation unit 430, and the key-generation vector generation unit 440 execute the Delegate_(L) algorithm shown in Formula 204 to generate the (L+1)-th level secret key (key information k{right arrow over ( )}*_(L+1)) including the key vector k*_(L+1,dec), the randomizing vector k*_(L+1,ran,j) (j=1, . . . , L+2), and the key-generation vector k*_(L+1,del,j) (j=1, . . . , n).

 [ Formula   204 ] Delegate L  ( pk , k -> L * , v -> L + 1 := ( v L + 1 , 1 , …  , v L + 1 , n ) ) : α dec , t , σ dec , α ran , j , t , σ ran , j  ( j = 1 , …  , L + 2 ) ,   α del , j , t , σ del , j  ( j = 1 , …  , n ) , ψ ′   U  q    for   t = 1 , …  , L + 1 ,   k L + 1 , dec * := k L , dec * + ∑ t = 1 L + 1  α dec , t  k L , ran , t * + σ dec ( ∑ i = 1 n  v L + 1 , i  k L , del , i * ) ,   k L + 1 , ran , j * := ∑ t = 1 L + 1  α ran , j , t  k L , ran , t * + σ ran , j ( ∑ i = 1 n  v L + 1 , i  k L , del , i * )    for   j = 1 , …  , L + 2 ,   k L + 1 , del , j * := ∑ t = 1 L + 1  α del , j , t  k L , del , t * + σ del , j ( ∑ i = 1 n  v L + 1 , i  k L , del , i * ) + ψ ′  k L , del , j *    for   j = 1 , …  , n ,  return   k -> L + 1 * := ( k L + 1 , dec * , k L + 1 , ran , 1 * , …  , k L + 1 , ran , L + 2 * , k L + 1 , del , 1 * , …   k L + 1 , del , n * ) .

(S605: Key Distribution Step)

As in (S605) of the second embodiment, the key distribution unit 450 transmits the key information k{right arrow over ( )}_(L+1) generated by the key vector generation unit 420, the randomizing vector generation unit 430, and the key-generation vector generation unit 440 to the decryption device 300 of a lower level through the communication device.

As described above, if x{right arrow over ( )}_(i)·v{right arrow over ( )}_(j)=0 holds for the attribute vector x{right arrow over ( )}_(j) (i=1, . . . , h) used by the encryption device 200 for encryption and the predicate vector v{right arrow over ( )}_(i) (j=1, . . . , L) of the key vector k*_(L,dec) used by the decryption device 300 for decryption for every i of (i=1, . . . , h) and every j of (j=1, . . . , L), then the decryption device 300 succeeds in decryption. That is, when the key vector k*_(1,dec) generated based on the predicate vector (v{right arrow over ( )}₁) is used for decryption, the decryption device 300 succeeds in decryption if x{right arrow over ( )}·v{right arrow over ( )}₁=0. When the key vector k*_(2,dec) generated based on the predicate vectors (v{right arrow over ( )}₁, v{right arrow over ( )}₂) is used for decryption, the decryption device 300 succeeds in decryption if x{right arrow over ( )}·v{right arrow over ( )}₁=0 and x{right arrow over ( )}·v{right arrow over ( )}₂=0. That is, as with the algorithms described in the second embodiment, the lower level key vector k*_(2,dec) has more limited capabilities than the higher level key vector k*_(1,dec).

In this embodiment, as in the second embodiment, it is assumed that the basis vector d_(n+1) in which the encryption device 200 sets transmission information is 2-dimensional. However, the dimension of the basis vector d_(n+1) may be 3-dimensional or higher, i.e., m-dimensional (basis vector b_(n+1), . . . , basis vector b_(n+m)).

As in the second embodiment, the HPKEM scheme may also be implemented by modifying the Enc algorithm executed by the encryption device 200 and the Dec algorithm executed by the decryption device 300 as shown in Formula 205 and Formula 206 respectively.

 [ Formula   205 ] Enc  ( pk , ( x -> 1 , …  , x -> L ) := ( ( x 1 , 1 , …  , x 1 , n ) , …  , ( x L , 1 , …  , x L , n ) ) ) : δ 1 , …  , δ L , δ n + 3 , ζ   U  q ,   c 1 := ∑ t = 1 L  δ t  ( ∑ i = 1 n  x t , i  b i ) + ζ   d n + 1 + δ n + 3  b n + 3 ,   K := g T ζ ,   return   ( c 1 , K ) .

$\begin{matrix} {{{{{Dec}\left( {{pk},k_{L,{dec}}^{*\;},c_{1}} \right)}:K^{\prime}}:={e\left( {c_{1},k_{L,{dec}}^{*\;}} \right)}},{{return}\mspace{14mu} {K^{\prime}.}}} & \left\lbrack {{Formula}\mspace{14mu} 206} \right\rbrack \end{matrix}$

Fourth Embodiment

In the above embodiments, the methods for implementing the cryptographic processes in dual vector spaces have been described. In this embodiment, a method for implementing the cryptographic processes in dual modules will be described.

That is, in the above embodiments, the cryptographic processes are implemented in cyclic groups of prime order q. However, when a ring R is expressed using a composite number M as shown in Formula 207, the cryptographic processes described in the above embodiments can be adapted to a module having the ring R as the coefficient.

:=

/M

  [Formula 207]

where

: integer, M: composite number.

For example, when the HPE scheme described in the second embodiment is implemented in the module having the ring R as the coefficient, it is expressed as shown in Formulas 208 to 212.

 [ Formula   208 ] Setup  ( 1 λ , μ -> := ( n , d ; μ 1 , …  , μ d ) ) : ( param , , * )   R  ob  ( 1 λ , n + 3 ) ,   d n + 1 := b n + 1 + b n + 2 ,   := ( b 1 , …  , b n , d n + 1 , b n + 3 ) ,   return   sk := ( X , * ) ,   pk := ( 1 λ , param , ) .   where   ob  ( 1 λ , N ) : param := ( M ,   X := ( χ i , j )   U  GL ( N ,    b i = ∑ j = 1 N  χ i , j  a j ,   := ( b 1 , …  , b N ) ,   b i * := ∑ j = 1 N  υ i , j  a j * ,   * := ( b 1 * , …  , b N * ) ,   return   ( param , , * )  [ Formula   209 ] GenKey  ( pk , sk  ( v -> 1 , …  , v -> L ) ) := ( ( v 1 , …  , v μ 1 ) , …  , ( v μ L - 1 + 1 , …  , v μ L ) ) : σ j , i , ψ , η j   U     for   j = 0 , …  , L + 1 , μ L + 1 , …  , n ; i = 1 , …  , L    k L , dec * := ∑ t = 1 L  σ 0 , t ( ∑ i = μ t - 1 + 1 μ t  v i  b i * ) + η 0  b n + 1 * + ( 1 - η 0 )  b n + 2 * ,   k L , ran , j * := ∑ t = 1 L  σ j , t ( ∑ i = μ t - 1 + 1 μ t  v i  b i * ) + η 0  b n + 1 * - η j  b n + 2 *    for   j = 1 , …  , L + 1 ,   k L , del , j * := ∑ t = 1 L  σ j , t ( ∑ i = μ t - 1 + 1 μ t  v i  b i * ) + ψ   b j * + η j  b n + 1 * - η j  b n + 2 *    for   j = μ L + 1 , …  , n ,   return   k -> L * := ( k L , 0 * , …  , k L , L + 1 * , k L , μ L + 1 * , …  , k L , n * ) .  [ Formula   210 ] Enc  ( pk , m ∈ T , ( x -> 1 , …  , x -> L ) := ( ( x 1 , …  , x μ 1 ) , …  , ( x μ L - 1 + 1 , …  , x μ L ) ) ) : ( x -> L + 1 , …  , x -> d )   U   μ L + 1 - μ L × … ×  n - μ d - 1 ,   δ 1 , …  , δ d , δ n + 3 , ζ   U  ,   c 1 := ∑ t = 1 d  δ t ( ∑ i = μ t - 1 + 1 μ t  x i  b i ) + ζ   d n + 1 + δ n + 3  b n + 3 ,   c 2 := g T ζ  m ,   return   ( c 1 , c 2 ) .  [ Formula   211 ]  Dec  ( pk , k L , dec * , c 1 , c 2 ) : m ′ := c 2 / e  ( c 1 , k L , dec * ) ,   return   m ′ .  [ Formula   212 ] Delegate L  ( pk , k -> L * , v -> L + 1 := ( v μ L + 1 , …  , v μ L + 1 ) ) : α j , i , σ j , ψ ′   U     for   j = 0 , …  , L + 2 , μ L + 1 + 1 , …  , n ; i = 1 , …  , L + 1 ,   k L + 1 , dec * := k L , dec * + ∑ i = 1 L + 1  α 0 , i  k L , ran , i * + σ 0 ( ∑ i = μ L + 1 μ L + 1  v i  k L , del , i * ) ,   k L + 1 , ran , j * := ∑ i = 1 L + 1  α j , i  k L , ran , i * + σ j ( ∑ i = μ L + 1 μ L + 1  v i  k L , del , i * )    for   j = 0 , …  , L + 2 ,   k L + 1 , del , j * := ∑ i = 1 L + 1  α j , i  k L , ran , i * + σ j ( ∑ i = μ L + 1 μ L + 1  v i  k L , del , i * ) + ψ ′  k L , del , j *    for   j = μ L + 1 + 1 , …  , n ,   return   k -> L + 1 * := ( k L + 1 , 0 * , …  , k L + 1 , L + 2 * , k L + 1 , μ L + 1 + 1 * , …   k L + 1 , n * ) .

In this embodiment, only the method for implementing the HPE scheme of the second embodiment in the module having the ring R as the coefficient has been described. However, in principle, the processes described for the field F_(q) in the above embodiments can be implemented in the module having the ring R as the coefficient by replacing the field F_(q) with the ring R.

A hardware configuration of the cryptographic processing system 10 (the key generation device 100, the encryption device 200, the decryption device 300, and the key delegation device 400) according to the embodiments will now be described.

FIG. 21 is a diagram showing an example hardware configuration of the key generation device 100, the encryption device 200, the decryption device 300, and the key delegation device 400.

As shown in FIG. 21, the key generation device 100, the encryption device 200, the decryption device 300, and the key delegation device 400 each include the CPU 911 (central processing unit, also called a processing unit, an arithmetic unit, a microprocessor, a microcomputer, or a processor). The CPU 911 is connected through the bus 912 with the ROM 913, the RAM 914, the LCD 901 (liquid crystal display), the keyboard 902 (K/B), the communication board 915, and the magnetic disk device 920, and controls these hardware devices. The magnetic disk device 920 (fixed disk device) may be replaced with a storage device such as an optical disk device or a memory card read/write device. The magnetic disk device 920 is connected through a predetermined fixed disk interface.

The ROM 913 and the magnetic disk device 920 are examples of a nonvolatile memory. The RAM 914 is an example of a volatile memory. The ROM 913, the RAM 914, and the magnetic disk device 920 are examples of a storage device (memory). The keyboard 902 and the communication board 915 are examples of an input device. The communication board 915 is an example of a communication device (network interface). The LCD 901 is an example of a display device.

The magnetic disk device 920, the ROM 913, or the like stores an operating system 921 (OS), a window system 922, programs 923, and files 924. The programs 923 are executed by the CPU 911, the operating system 921, and the window system 922.

The programs 923 store software or programs for executing the functions described hereinabove as “the master key generation unit 110”, “the master key storage unit 120”, “the key vector generation unit 130”, “the randomizing vector generation unit 140”, “the key-generation vector generation unit 150”, “the key distribution unit 160”, “the transmission information setting unit 210”, “the cipher vector generation unit 220”, “the cipher information generation unit 230”, “the data transmission unit 240”, “the public key acquisition unit 250”, “the session key generation unit 260”, “the vector input unit 310”, “the key vector storage unit 320”, “the pairing operation unit 330”, “the key vector acquisition unit 410”, “the key vector generation unit 420”, “the randomizing vector generation unit 430”, “the key-generation vector generation unit 440”, “the key distribution unit 450”, and so on. The programs are read and executed by the CPU 911.

The files 924 store information, data, signal values, variable values, and parameters, such as “the master public key pk”, “the master secret key sk”, “the cipher vector c”, and “the key vector” described hereinabove, each of which is stored as an item of a “file” or a “database”. The “file” or “database” is stored in a storage device such as a disk or memory. The information, data, signal values, variable values, and parameters stored in the storage device such as the disk or memory are read by the CPU 911 through a read/write circuit to a main memory or a cache memory, and are used for operations of the CPU 911 such as extraction, search, reference, comparison, calculation, computation, processing, output, printing, and display. The information, data, signal values, variable values, and parameters are temporarily stored in the main memory, the cache memory, or a buffer memory during the operations of the CPU 911 such as extraction, search, reference, comparison, calculation, computation, processing, output, printing, and display.

In the flowcharts described hereinabove, an arrow mainly represents an input/output of data or a signal, and each data or signal value is stored in the RAM 914, or other types of storage medium such as an optical disk, or an IC chip. The data or signal is transferred online through the bus 912, a signal line, a cable, other types of transfer medium, or a radio wave.

What is described hereinabove as “a . . . unit” may be “a . . . circuit”, “a . . . device”, “a . . . tool”, “a . . . means”, or “a . . . function”, and may also be “a . . . step”, “a . . . procedure”, or “a . . . process”. What is described as “a . . . device” may be “a . . . circuit”, “a . . . tool”, “a . . . means”, or “a . . . function”, and may also be “a . . . step”, “a . . . procedure”, or “a . . . process”. What is described as “a . . . process” may be “a . . . step”. That is, what is described as “a . . . unit” may be implemented by firmware stored in the ROM 913. Alternatively, “the . . . unit” may be implemented solely by software, or solely by hardware such as elements, devices, boards, and wiring, or by a combination of software and hardware, or by a combination including firmware. Firmware or software is stored as a program in a storage medium such as the ROM 913. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes a computer or the like to function as “the . . . unit” described above. Alternatively, the program causes the computer or the like to execute a procedure or a method of “the . . . unit” described above.

LIST OF REFERENCE SIGNS

-   -   10: cryptographic processing system     -   100: key generation device     -   110: master key generation unit     -   120: master key storage unit     -   130: key vector generation unit     -   140: randomizing vector generation unit     -   150 key-generation vector generation unit     -   160: key distribution unit     -   200: encryption device     -   210: transmission information setting unit     -   220: cipher vector generation unit     -   230: cipher information generation unit     -   240: data transmission unit     -   250: public key acquisition unit     -   260: session key generation unit     -   300: decryption device     -   310: vector input unit     -   320: key vector storage unit     -   330: pairing operation unit     -   400: key delegation device     -   410: key vector acquisition unit     -   420: key vector generation unit     -   430: randomizing vector generation unit     -   440: key-generation vector generation unit     -   450: key distribution unit 

1. A cryptographic processing system that performs a predicate encryption process using dual vector spaces of a space V and a space V* paired through a pairing operation shown in Formula 1, the cryptographic processing system comprising: an encryption device that, using a processing device, generates as a cipher vector c₁ a vector of a basis B̂, the basis B̂ having, out of basis vectors b_(i) (i=1, . . . , n, . . . , N) (N being an integer of 3 or greater and n being an integer from 1 to N−2) that constitute a predetermined basis B of the space V, basis vectors b_(i) (i=1, . . . , n) and a basis vector d_(n+1) which is a sum of two or more basis vectors b_(i) (i=n+1, . . . , m) out of the basis vectors b_(i) (i=n+1, . . . , N), the cipher vector c₁ being the vector in which attribute information is embedded as coefficients of one or more basis vectors out of the basis vector b_(i) (i=1, . . . , n), and predetermined information is embedded as a coefficient of the basis vector d_(n+1); and a decryption device that, using the processing device, performs the pairing operation e (c₁, k*_(L,dec)) shown in Formula 1 on the cipher vector c₁ generated by the encryption device and a key vector k*_(L,dec) to decrypt the cipher vector c₁ and to extract a value concerning the predetermined information, the key vector k*_(L,dec) being a vector of a basis B* of the space V* and constructed such that predicate information is embedded as coefficients of one or more basis vectors of basis vectors b*_(i) (i=1, . . . , n) out of basis vectors b*_(i) (i=1, . . . , n, . . . , N) that constitute the basis B*, and coefficients of basis vectors b*_(i) (i=n+1, . . . , m) of the basis B* are embedded such that a sum of the coefficients of the basis vectors b*_(i) (i=n+1, . . . , m) is
 1. e(p,q):=Π_(i=1) ^(N) e(χ_(i) b _(i),η_(i) b* _(i))  [Formula 1] where p:=Σ_(i=1) ^(N)χ_(i)b_(i), q:=Σ_(i=1) ^(N)η_(i)b_(i)*, χ_(i),η_(i): predetermined values.
 2. The cryptographic processing system of claim 1, further comprising: a key generation device that, using the processing device, generates as the key vector k*_(L,dec) the vector in which the predicate information is set as the coefficients of the one or more basis vectors of the basis vectors b*_(i) (i=1, . . . , n) out of the basis vectors b*_(i) (i=1, . . . , N) that constitute the basis B*, and the coefficients of the basis vectors b*_(i) (i=n+1, . . . , m) are set such that the sum of the coefficients of the basis vectors b*_(i) (i=n+1, . . . , m) is 1, and wherein the decryption device obtains the key vector k*_(L,dec) generated by the key generation device, and performs the pairing operation on the key vector k*_(L,dec) obtained and the cipher vector c₁.
 3. The cryptographic processing system of claim 2, further comprising: a key delegation device that generates as a key vector k*_(L+1,dec) a vector that can decrypt one or more, but not all, of cipher vectors that can be decrypted by the key vector k*_(L,dec) generated by the key generation device, the key vector k*_(L+1,dec) being the vector in which random numbers having uniformly distributed values are set as coefficients of basis vectors in which predicate information is set.
 4. A key generation device that generates a key vector k*_(L,dec) which is a secret key in a predicate encryption scheme, the key generation device comprising: a master key storage unit that, when a space V and a space V* are dual vector spaces paired through a pairing operation, stores in a storage device a predetermined basis B* of the space V*; and a key vector generation unit that, using a processing device, generates as the key vector k*_(L,dec) a vector in which predicate information is set as coefficients of one or more basis vectors b*_(i) (i=1, . . . , μ_(L)) of basis vector b*_(i) (i=1, . . . , n) out of basis vectors b*_(i) (i=1, . . . , n, . . . , N) (N being an integer of 3 or greater and n being an integer from 1 to N−2) that constitute the basis B* stored by the master key storage unit, and coefficients of two or more predetermined basis vectors out of basis vectors b*_(i) (i=n+1, . . . , N) are set such that a sum of the coefficients of the two or more predetermined basis vectors is
 1. 5. The key generation device of claim 4, wherein the key vector generation unit generates the key vector k*_(L,dec) as shown in Formula
 2. k* _(L,dec):=Σ_(t=1) ^(L)σ_(0,t)(Σ_(i=μ) _(t−1) ₊₁ ^(μt) ^(t) v _(i) b* _(i))+η₀ b* _(n+1)+(1−η₀)b* _(n+2)  [Formula 2] where σ_(0,i),η₀ (i=1, . . . , L): predetermined values, v_(i) (i=1, . . . , μ_(L)): predicate information.
 6. The key generation device of claim 4, wherein the key vector generation unit generates the key vector k*_(L,dec) as shown in Formula
 3. k* _(L,dec):=Σ_(t=1) ^(L)σ_(dec,t)(Σ_(i=1) ^(n) v _(t,i) b* _(i))+η_(dec) b* _(n+1)+(1−η_(dec))b* _(n+2)  [Formula 3] where σ_(dec,t),η_(dec) (t=1, . . . , L): predetermined values, v_(t,i) (t=1, . . . , L; i=1, . . . , n): predicate information.
 7. The key generation device of claim 4, further comprising: a key-generation vector generation unit that, using the processing device, generates as a key-generation vector k*_(L,del,j) at least an (n−μ_(L)) number of vectors that can decrypt one or more, but not all, of cipher vectors that can be decrypted by the key vector k*_(L,dec) generated by the key vector generation unit, the key-generation vector k*_(L,del,j) being a vector in which a predetermined value is set as a coefficient of a basis vector b*_(j) for at least each j of j=μ_(L)+1, . . . , n; and a randomizing vector generation unit that, using the processing device, generates as a randomizing vector k*_(L,ran,j) at least an (L+1) number of vectors for setting uniformly distributed values as coefficients of basis vectors of the key vector k*_(L+1,dec) generated with the key-generation vector k*_(L,del,j) generated by the key-generation vector generation unit, the coefficients being set such that predicate information is set, and the randomizing vector k*_(L, ran,j) being a vector in which a predetermined value is set as a coefficient of a basis vector b*_(j) for at least each j of j=1, . . . , L+1.
 8. The key generation device of claim 7, wherein the key vector generation unit generates the key-generation vector k*_(L,del,j) as shown in Formula 4, and wherein the randomizing vector generation unit generates the randomizing vector k*_(L,ran,j) as shown in Formula
 5. k* _(L,del,j):=Σ_(t=1) ^(L)σ_(j,t)(Σ_(i=μ) _(t−1) ₊₁ ^(μt) ^(t) v _(i) b* _(i))+ψb* _(j)+η_(j) b* _(n+1)−η_(j) b* _(n+2) (j=μ _(L)+1, . . . ,n)  [Formula 4] where σ_(j,i),ψ,η_(j) (j=μ_(L)+1, . . . , n; i=1, . . . , L): predetermined values, v_(i) (i=1, . . . , μ_(L)): predicate information. k* _(L,ran,j):=Σ_(t=1) ^(L)σ_(j,t)(Σ_(i=μ) _(t−1) ₊₁ ^(μt) ^(t) v _(i) b* _(i))+η_(j) b* _(n+1)−η_(j) b* _(n+2) (j=1, . . . ,L+1)  [Formula 5] where σ_(j,i),η_(j) (j=1, . . . , L+1; i=1, . . . , L): predetermined values, v_(i) (i=1, . . . , μ_(L)): predicate information.
 9. The key generation device of claim 7, wherein the key vector generation unit generates the key-generation vector k*_(L,del,j) as shown in Formula 6, and wherein the randomizing vector generation unit generates the randomizing vector k*_(L,ran,j) as shown in Formula
 7. k* _(L,del,j):=Σ_(t=1) ^(L)σ_(j,t)(Σ_(i=1) ^(n) v _(t,i) b* _(i))+ψb* _(j)+η_(del,j) b* _(n+1)−η_(del,j) b* _(n+2) (j=1, . . . ,n)  [Formula 6] where σ_(del,j,t),η_(del,j),ψ (j=1, . . . , n; t=1, . . . , L): predetermined values, v_(t,i) (t=1, . . . , L; i=1, . . . , n): predicate information. k* _(L,ran,j):=Σ_(t=1) ^(L)σ_(j,t)(Σ_(i=1) ^(n) v _(t,i) b* _(i))+η_(ran,j) b* _(n+1)−η_(ran,j) b* _(n+2) (j=1, . . . ,L+1)  [Formula 7] where σ_(ran,j,t),η_(ran,j) (j=1, . . . , L+1; t=1, . . . , L): predetermined values, v_(t,i) (t=1, . . . , L; i=1, . . . ,n): predicate information.
 10. A key delegation device that generates a key vector k*_(L+1,dec) that can decrypt one or more, but not all, of cipher vectors that can be decrypted by a key vector k*_(L,dec) which is a secret key in a predicate encryption scheme, the key delegation device comprising: a key vector acquisition unit that, when a space V and a space V* are dual vector spaces paired through a pairing operation, obtains the key vector k*_(L,dec) in which predicate information is set as coefficients of one or more basis vectors b*_(i) (i=1, . . . , μ_(L)) of basis vectors b*_(i) (i=1, . . . , n) out of basis vector b*_(i) (i=1, . . . , n, . . . , N) (N being an integer of 3 or greater and n being an integer from 1 to N−2) that constitute a predetermined basis B* of the space V*, and coefficients of two or more predetermined basis vectors out of basis vectors b*_(i) (i=n+1, . . . , N) are set such that a sum of the coefficients of the two or more predetermined basis vectors is 1; a key-generation vector acquisition unit that obtains at least an (n−μ_(L)) number of key-generation vectors k*_(L,del,j) in which a predetermined value is set as a coefficient of a basis vector b*_(j) for at least each j of j=μ_(L)+1, n; and a key vector generation unit that generates the key vector k*_(L+1,dec) by multiplying by predicate information a coefficient of each basis vector of one or more key-generation vectors k*_(L,del,j) out of the key generation vectors k*_(L,del,j) obtained by the key-generation vector acquisition unit and adding each result to the key vector k*_(L,dec) obtained by the key vector acquisition unit.
 11. The key delegation device of claim 10, further comprising: a randomizing vector acquisition unit that obtains at least an (L+1) number of randomizing vectors k*_(L,ran,j) in which a predetermined value is set as a coefficient of a basis vector b*_(j) for at least each j of j=1, . . . , L+1, and wherein the key vector generation unit generates the key vector k*_(L+1,dec) by multiplying by a random number a coefficient of each basis vector of one or more randomizing vectors k*_(L,ran,j) out of the randomizing vectors k*_(L,ran,j) obtained by the randomizing vector acquisition unit and further adding each result to the key vector k*_(L+1,dec).
 12. The key delegation device of claim 11, wherein the key vector acquisition unit obtains the key vector k*_(L,dec) as shown in Formula 8, wherein the key-generation vector acquisition unit obtains the key-generation vector k*_(L,del,j) as shown in Formula 9, wherein the randomizing vector acquisition unit obtains the randomizing vector k*_(L,ran,j) as shown in Formula 10, and wherein the key vector generation unit generates the key vector k*_(L+1,dec) as shown in Formula
 11. k* _(L,dec):=Σ_(t=1) ^(L)σ_(0,t)(Σ_(i=μ) _(t−1) ₊₁ ^(μt) ^(t) v _(i) b* _(i))+η₀ b* _(n+1)+(1−η₀)b* _(n+2)  [Formula 8] where σ_(0,i),η₀ (i=1, . . . , L): predetermined values, v_(i) (i=1, . . . , μ_(L)): predicate information. k* _(L,del,j):=Σ_(t=1) ^(L)σ_(j,t)(Σ_(i=μ) _(t−1) ₊₁ ^(μt) ^(t) v _(i) b* _(i))+ψb* _(j)+η_(j) b* _(n+1)−η_(j) b* _(n+2) (j=μ _(L)+1, . . . ,n)  [Formula 4] where σ_(j,i),ψ,η_(j) (j=μ_(L)+1, . . . ,n; i=1, . . . , L): predetermined values, v_(i) (i=1, . . . , μ_(L): predicate information. k* _(L,ran,j):=Σ_(t=1) ^(L)σ_(j,t)(Σ_(i=μ) _(t−1) ₊₁ ^(μt) ^(t) v _(i) b* _(i))+η_(j) b* _(n+1)−η_(j) b* _(n+2) (j=1, . . . ,L+1)  [Formula 10] where σ_(j,i),η_(j) (j=1, . . . , L+1; i=1, . . . , L): predetermined values, v_(i) (i=1, . . . , μ_(L)): predicate information. k* _(L+1,dec:) =k* _(L,dec)+Σ_(i=1) ^(L+1)α_(0,i) k* _(L,ran,i)+σ₀(Σ_(i=μ) _(L) ₊₁ ^(μ) ^(L+1) v _(i) k* _(L,del,i))  [Formula 11] where α_(0,i),σ₀ (i=1, . . . , L+1): predetermined values, v_(i)=(i=μ_(L)+1, . . . , μ_(L+1)) predicate information.
 13. The key delegation device of claim 11, wherein the key vector acquisition unit obtains the key vector k*_(L,dec) as shown in Formula 12, wherein the key-generation vector acquisition unit obtains the key-generation vector k*_(L,del,i) as shown in Formula 13, wherein the randomizing vector acquisition unit obtains the randomizing vector k*_(L,ran,j) as shown in Formula 14, and wherein the key vector generation unit generates the key vector k*_(L+1,dec) as shown in Formula
 15. k* _(L,dec):=Σ_(t=1) ^(L)σ_(dec,t)(Σ_(i=1) ^(n) v _(t,i) b* _(i))+η_(dec) b* _(n+1)+(1−η_(dec))b* _(n+2)  [Formula 12] where σ_(dec,t),η_(dec) (t=1, . . . , L): predetermined values, v_(t,i) (t=1, . . . , L; i=1, . . . ,n): predicate information. k* _(L,del,j):=Σ_(t=1) ^(L)σ_(del,j,t)(Σ_(i=1) ^(n) v _(t,i) b* _(i))+ψb* _(j)+η_(del,j) b* _(n+1)−η_(del,j) b* _(n+2) (j=1, . . . ,n)  [Formula 13] where σ_(del,j,t),η_(del,j),ψ (j=1, . . . ,n; t=1, . . . , L): predetermined values, v_(t,i) (t=1, . . . , L; i=1, . . . , n): predicate information. k* _(L,Ran,j):=Σ_(t=1) ^(L)σ_(ran,j,t)(Σ_(i=1) ^(n) v _(t,i) b* _(i))+η_(ran,j) b* _(n+1)−η_(ran) ,jb* _(n+2) (j=1, . . . ,n)  [Formula 13] where σ_(ran,j,t),η_(ran,j) (j=1, . . . , L+1; t=1, . . . , L): predetermined values, v_(t,i) (t=1, . . . , L; i=1, . . . , n): predicate information. k* _(L+1,dec) :=k* _(L,dec)+Σ_(t=1) ^(L+1)α_(dec,t) k* _(L,ran,t)+σ_(dec)(Σ_(i=1) ^(n) v _(L+1,i) k* _(L,del,i)) where σ_(dec,t),σ_(dec) (t=1, . . . , L+1): predetermined values, v_(L+1,i) (i=1, . . . ,n): predicate information.
 14. The key delegation device of claim 11, further comprising: a key-generation vector generation unit that, using a processing device, generates as a key-generation vector k*_(L+1,del,j) at least an (n−μ_(L+1)) number of vectors that can decrypt one or more, but not all, of cipher vectors that can be decrypted by the key vector k*_(L+1,dec) generated by the key vector generation unit, the key-generation vector k*_(L+1,del,j) being a vector in which a predetermined value is set as a coefficient of a basis vector b*_(j) for at least each j of j=μ_(L+1)+1, . . . , n; and a randomizing vector generation unit that, using the processing device, generates as a randomizing vector k*_(L+1,ran,j) at least an (L+2) number of vectors for setting uniformly distributed values as coefficients of basis vectors of the key vector k*_(L+2,dec) generated with the key-generation vector k*_(L+1,del,j) generated by the key-generation vector generation unit, the coefficients being set such that predicate information is set, and the randomizing vector k*_(L+1,ran,j) being a vector in which a predetermined value is set as a coefficient of a basis vector b*_(j) for at least each j of j=1, . . . , L+2.
 15. The key delegation device of claim 14, wherein the key-generation vector acquisition unit obtains the key-generation vector k*_(L,del,j) as shown in Formula 16, wherein the randomizing vector acquisition unit obtains the randomizing vector k*_(L,ran,j) as shown in Formula 17, wherein the key vector generation unit generates the key-generation vector k*_(L+1,del,j) as shown in Formula 18, and wherein the randomizing vector generation unit generates the randomizing vector k* _(L,del,j):=Σ_(t=1) ^(L)σ_(j,t)(Σ_(i=μ) _(t−1) ₊₁ ^(μt) ^(t) v _(i) b* _(i))+ψb* _(j)+η_(j) b* _(n+1)−η_(j) b* _(n+2) (j=μ _(L)+1, . . . ,n)  [Formula 16] where σ_(j,t),ψ,η_(j) (j=μ_(L)+1, . . . , n; t=1, . . . , L): predetermined values, v_(i) (i=1, . . . , μ_(L)): predicate information. k* _(L,ran,j):=Σ_(t=1) ^(L)σ_(j,t)(Σ_(i=μ) _(t−1) ₊₁ ^(μt) ^(t) v _(i) b* _(i))+η_(j) b* _(n+1)−η_(j) b* _(n+2) (j=1, . . . ,L+1)  [Formula 17] where σ_(j,t),η_(j) (j=1, . . . , L+1; t=1, . . . , L): predetermined values, v_(i) (i=1, . . . , μ_(L)): predicate information. k* _(L+1,del,j):=Σ_(i=1) ^(L+1)α_(j,i) k* _(L,ran,i)+σ_(j)(Σ_(i=μ) _(L) ₊₁ ^(μ) ^(L+1) v _(i) k* _(L,del,i))+ψ′k* _(L,del,j) (j=μ _(L+1)+1, . . . ,n)  [Formula 18] where α_(j,i),σ_(j),ψ′ (j=μ_(L+1)+1, . . . , n; i=1, . . . , L+1): predetermined values, v_(i) (i=μ_(L)+1, . . . , μ_(L+1)): predicate information. k* _(L+1,ran,j):=Σ_(i=1) ^(L+1)α_(j,i) k* _(L,ran,i)+σ_(j)(Σ_(i=μ) _(L) ₊₁ ^(μ) ^(L+1) v _(i) k* _(L,del,i)) (j=1, . . . ,L+2)  [Formula 19] where α_(j,i),σ_(j) (j=1, . . . , L+2; i=1, . . . ,L+1): predetermined values, v_(i) (i=μ_(L)+1, . . . , μ_(L+1)): predicate information.
 16. The key delegation device of claim 14, wherein the key-generation vector acquisition unit obtains the key-generation vector k*_(L,del,j) as shown in Formula 20, wherein the randomizing vector acquisition unit obtains the randomizing vector k*_(L,ran,j) as shown in Formula 21, wherein the key vector generation unit generates the key-generation vector k*_(L+1,del,j) as shown in Formula 22, and wherein the randomizing vector generation unit generates the randomizing vector k*_(L+1,ran,j) as shown in Formula
 23. k* _(L,del,j):=Σ_(t=1) ^(L)σ_(del,j,t)(Σ_(i=1) ^(n) v _(t,i) b* _(i))+ψb* _(j)+η_(del,j) b* _(n+1)−η_(del,j) b* _(n+2) (j=1, . . . ,n)  [Formula 20] where σ_(del,j,t),η_(del,j),ψ (j=1, . . . ,n; t=1, . . . , L): predetermined values, v_(t,i) (t=1, . . . , L; i=1, . . . , n): predicate information. k* _(L,ran,j):=Σ_(t=1) ^(L)σ_(ran,j,t)(Σ_(i=1) ^(n) v _(t,i) b* _(i))+η_(ran,j) b* _(n+1)−η_(ran,j) b* _(n+2) (j=1, . . . ,L+1)  [Formula 21] where σ_(ran,j,t),η_(ran,j) (j=1, . . . ,L+1; t=1, . . . , L): predetermined values, v_(t,i) (t=1, . . . , L; i=1, . . . , n): predicate information. k* _(L+1,del,j):=Σ_(t=1) ^(L+1)α_(del,j,t) k* _(L,del,t)+σ_(del,j)(Σ_(i=1) ^(n) v _(L+1,i) k* _(L,del,i))+ψ′k* _(L,del,j) (j=1, . . . ,n)  [Formula 22] where σ_(del,j,t), σ_(del,j),ψ′ (j=1, . . . ,n; i=1, . . . , L+1): predetermined values, v_(L+1,i) (i=1, . . . ,n): predicate information. k* _(L+1,ran,j):=Σ_(t=1) ^(L+1)α_(ran,j,t) k* _(L,ran,t)+σ_(Ran,j)(Σ_(i=1) ^(n) v _(L+1,i) k* _(L,del,i)) (j=1, . . . ,L+2)  [Formula 23] where σ_(ran,j,t),σ_(ran,j) (j=1, . . . , L+2; t=1, . . . , L+1): predetermined values, v_(L+1,i) (i=1, . . . , n): predicate information.
 17. An encryption device that generates a cipher vector c₁ which is a ciphertext in a predicate encryption scheme, the encryption device comprising: a public key acquisition unit that, when a space V and a space V* are dual vector spaces paired through a pairing operation, obtains a basis B̂ and predetermined attribute information, the basis B̂ having, out of basis vector b_(i) (i=1, . . . , n, . . . , N) (N being an integer of 3 or greater and n being an integer from 1 to N−2) that constitute a predetermined basis B of the space V, basis vectors b_(i) (i=1, . . . , n) and a basis vector d₊₁ which is a sum of two or more predetermined basis vectors out of basis vectors b_(i) (i=n+1, . . . , N); a transmission information setting unit that, using a processing device, generates as a transmission information vector a vector of the basis B̂ obtained by the public key acquisition unit, the transmission information vector being the vector in which predetermined information is set as a coefficient of the basis vector d_(n+1); and a cipher vector generation unit that, using the processing device, generates the cipher vector c₁ by adding an attribute information vector in which attribute information is set as coefficients of one or more basis vectors out of the basis vectors b_(i) (i=1, . . . , n) of the basis B̂ to the transmission information vector generated by the transmission information setting unit.
 18. The encryption device of claim 17, wherein the transmission information setting unit generates the transmission information vector ζv as shown in Formula 24, and wherein the cipher vector generation unit generates the cipher vector c₁ as shown in Formula
 25. ζv:=ζd _(n+1)  [Formula 24] where ζ: predetermined value. c ₁:=Σ_(t=1) ^(d)δ_(t)(Σ_(i=μ) _(t−1) ₊₁ ^(μ) ^(t) x _(i) b _(i))+ζd _(n+1)  [Formula 25] where ({right arrow over (x)}₁, . . . , {right arrow over (x)}_(L)):=((x₁, . . . , x_(μ) ₁ ), . . . , (x_(μ) _(L−1) ₊₁, . . . , x_(μ) _(L) )): attribute information, ({right arrow over (x)}_(L+1), . . . , {right arrow over (x)}_(d)):=((x_(μ) _(L) ₊₁, . . . , x_(μ) _(L+1) ), . . . , (x_(μ) _(d−1) ₊₁, . . . , x_(μ) _(d) )): predetermined values, δ₁, . . . , δ_(d): predetermined values.
 19. The encryption device of claim 17, wherein the transmission information setting unit generates the transmission information vector N as shown in Formula 26, and wherein the cipher vector generation unit generates the cipher vector c₁ as shown in Formula
 27. ζv:=ζd _(n+1)  [Formula 26] where ζ: predetermined value. c ₁:=Σ_(t=1) ^(L)δ_(t)(Σ_(i=1) ^(n) x _(i) b _(i))+ζd _(n+1)  [Formula 27] where ({right arrow over (x)}₁, . . . , {right arrow over (x)}_(L)):=((x_(1,1), . . . , x_(1,n)), . . . , (x_(L,1), . . . , x_(L,n))): attribute information, δ₁, . . . , δ_(d): predetermined values.
 20. The encryption device of claim 17, further comprising: a cipher information generation unit that generates cipher information c₂ shown in Formula
 28. c ₂ :=g _(T) ^(ζ) m  [Formula 28] where g_(T)=e(a_(i),a*_(i))≠1. A is a basis of the space V and is A:=(a₁, . . . , a_(N)) A* is a basis of the space V and is A*:=(a₁*, . . . , a_(N)*).
 21. A decryption device that decrypts a ciphertext in a predicate encryption scheme, the decryption device comprising: a vector input unit that, when a space V and a space V* are dual vector spaces paired through a pairing operation, inputs a cipher vector c₁ of a basis B̂, the basis B̂ having, out of basis vectors b_(i) (i=1, . . . , n, . . . , N) (N being an integer of 3 or greater and n being an integer from 1 to N−2) that constitute a predetermined basis B of the space V, basis vectors b_(i) (i=1, . . . , n) and a basis vector d_(n+1) which is a sum of two or more predetermined basis vectors out of basis vectors b_(i) (i=n+1, . . . , N), the cipher vector c₁ being a vector in which attribute information is set as coefficients of at least basis vectors b_(i) (i=1, . . . , μ_(h)) out of the basis vectors b_(i) (i=1, . . . , n) and predetermined information is set as a coefficient of the basis vector d_(n+1); a key vector storage unit that stores in a storage device a key vector k*_(L,dec) in which predicate information v_(i) (i=1, . . . , μ_(L)) is set as coefficients of at least basis vectors b*_(i) (i=1, . . . , μ_(L)(μ_(L)≦μ_(h)) of basis vectors b*_(i) (i=1, . . . , n) out of basis vectors b*_(i) (i=1, . . . , n, . . . , N) of a predetermined basis B* of the space V*, and coefficients of basis vectors b*_(i) corresponding to the basis vectors b_(i) that constitute the basis vector d_(n+1) are set such that a sum of the coefficients of the basis vectors b*_(i) is 1; and a pairing operation unit that, using a processing device, performs the pairing operation on the cipher vector c₁ input by the vector input unit and the key vector k*_(L,dec) stored by the key vector storage unit to extract from the cipher vector c₁ a value concerning the predetermined information.
 22. The decryption device of claim 21, wherein the vector input unit inputs the cipher vector c₁ as shown in Formula 29, wherein the key vector storage unit stores the key vector k*_(L,dec) as shown in Formula 30, and wherein the pairing operation unit performs the pairing operation as shown in Formula 31 to extract from the cipher vector the value concerning the predetermined information. c ₁:=Σ_(t=1) ^(d)δ_(t)(Σ_(i=μ) _(t−1) ₊₁ ^(μ) ^(t) x _(i) b _(i))+ζd _(n+1)  [Formula 29] where ({right arrow over (x)}₁, . . . , {right arrow over (x)}_(h)):=((x₁, . . . , x_(μ) ₁ ), . . . , (x_(μ) _(L−1) ₊₁, . . . , x_(μ) _(h) )): attribute information, ({right arrow over (x)}_(h+1), . . . , {right arrow over (x)}_(d)):=((x_(μ) _(h) ₊₁, . . . , x_(μ) _(h+2) ), . . . , (x_(μ) _(d−1) ₊₁, . . . , x_(μ) _(d) )): predetermined values, δ₁, . . . , δ_(d),ζ: predetermined values. k* _(L,dec):=Σ_(t=1) ^(L)σ_(0,t)(Σ_(i=μ) _(t−1) ₊₁ ^(μt) ^(t) v _(i) b* _(i))+η₀ b* _(n+1)+(1−η₀)b* _(n+2)  [Formula 30] where σ_(0,i),η₀ (i=1, . . . , L): predetermined values, v_(i) (i=1, . . . , μ_(L)): predicate information. e(c ₁ ,k* _(L,dec))  [Formula 31] where e(p,q):=Π_(i=1) ^(N)e(χ_(i)b_(i),η_(i)b*_(i)), p:=Σ_(i=1) ^(N)χ_(i)b_(i), q:=Σ_(i=1) ^(N)η_(i)b_(i)*, χ_(i),η_(i): predetermined values.
 23. The decryption device of claim 21, wherein the vector input unit inputs the cipher vector c₁ as shown in Formula 32, wherein the key vector storage unit stores the key vector k*_(L,dec) as shown in Formula 33, and wherein the pairing operation unit performs the pairing operation as shown in Formula 34 to extract from the cipher vector the value concerning the predetermined information. c ₁:=Σ_(t=1) ^(h)δ_(t)(Σ_(i=1) x _(t,i) b _(i))+ζd _(n+1)  [Formula 32] where ({right arrow over (x)}₁, . . . , {right arrow over (x)}_(h)):=((x_(1,1), . . . , x_(1,n)), . . . , (x_(h,1), . . . , x_(h,n))): attribute information, δ₁, . . . , δ_(d): predetermined values. k* _(L,dec):=Σ_(t=1) ^(L)σ_(dec,t)(Σ_(i=1) ^(n) v _(t,i) b* _(i))+η_(dec) b* _(n+1)+(1−η_(dec))b* _(n+2)  [Formula 33] where σ_(dec,t),η_(dec) (t=1, . . . , L): predetermined values, v_(t,i) (t=1, . . . , L; i=1, . . . , n): predicate information. e(c ₁ ,k* _(L,dec))  [Formula 34] where e(p,q):=Π_(i=1) ^(N)e(χ_(i)b_(i),η_(i)b*_(i)) p:=Σ_(i=1) ^(N)χ_(i)b_(i), q:=Σ_(i=1) ^(N)η_(i)b_(i)*, χ_(i),η_(i): predetermined values.
 24. The decryption device of claim 21, wherein the vector input unit inputs the cipher vector c₁ as shown in Formula 35 and cipher information c₂ as shown in Formula 36 in which a message m is encrypted, wherein the key vector storage unit stores the key vector k*_(L,dec) as shown in Formula 37, and wherein the pairing operation unit performs an operation as shown in Formula 38 to extract the message m from the cipher vector c₁. c ₁:=Σ_(t=1) ^(d)δ_(t)(Σ_(i=μ) _(t−1) ₊₁ ^(μ) ^(t) x _(i) b _(i))+ζd _(n+1)  [Formula 35] where ({right arrow over (x)}₁, . . . , {right arrow over (x)}_(h)):=((x₁, . . . , x_(μ) ₁ ), . . . , (x_(μ) _(L−1) ₊₁, . . . , x_(μ) _(h) )): attribute information, ({right arrow over (x)}_(h+1), . . . , {right arrow over (x)}_(d)):=((x_(μ) _(h+1) ₊₁, . . . , x_(μ) _(h+2) ), . . . , (x_(μ) _(d−1) ₊₁, . . . , x_(μ) _(d) )): predetermined values, δ₁, . . . , δ_(d): predetermined values. c ₂ :=g _(T) ^(ζ) m  [Formula 36] where g_(T)=e(a_(i),a*_(i))≠1. A is a basis of the space V and is A:=(a₁, . . . , a_(N)) A* is a basis of the space V and is A*:=(a₁*, . . . , a_(N)*). k* _(L,dec):=Σ_(t=1) ^(L)σ_(0,t)(Σ_(i=μ) _(t−1) ₊₁ ^(μt) ^(t) v _(i) b* _(i))+η₀ b* _(n+1)+(1−η₀)b* _(n+2)  [Formula 37] where σ_(0,i),η₀ (i=1, . . . , L): predetermined values, v_(i) (i=1, . . . , μ_(L)): predicate information. m:=c ₂ /e(c ₁ ,k* _(L,dec))  [Formula 38] where e(p,q):=Π_(i=1) ^(N)e(χ_(i)b_(i),η_(i)b*_(i)) p:=Σ_(i=1) ^(N)χ_(i)b_(i), q:=Σ_(i=1) ^(N)η_(i)b_(i)*, χ_(i),η_(i): predetermined values.
 25. The decryption device of claim 21, wherein the vector input unit inputs the cipher vector c₁ as shown in Formula 39 and cipher information c₂ as shown in Formula 40 in which a message m is encrypted, wherein the key vector storage unit stores the key vector k*_(L,dec) as shown in Formula 41, and wherein the pairing operation unit performs an operation as shown in Formula 42 to extract the message m from the cipher vector c₁. c ₁:=Σ_(t=1) ^(h)δ_(t)(Σ_(i=1) ^(n) x _(i) b _(i))+ζd _(n+1)  [Formula 39] where ({right arrow over (x)}₁, . . . , {right arrow over (x)}_(h)):=((x_(1,1), . . . , x_(1,n)), . . . , (x_(h,1), . . . , x_(h,n))): attribute information, δ₁, . . . , δ_(d): predetermined values. c ₂ :=g _(T) ^(ζ) m  [Formula 40] where g_(T)=e(a_(i),a*_(i))≠1. A is a basis of the space V and is A:=(a₁, . . . , a_(N)) A* is a basis of the space V and is A*:=(a₁*, . . . , a_(N)*). k* _(L,dec):=Σ_(t=1) ^(L)σ_(dec,t)(Σ_(i=1) ^(n) v _(i) b* _(i))+η_(dec) b* _(n+1)+(1−η_(dec))b* _(n+2)  [Formula 41] where σ_(dec,t),η_(dec) (t=1, . . . , L): predetermined values, v_(t,i) (t=1, . . . , μ_(L)): predicate information. m:=c ₂ /e(c ₁ ,k* _(L,dec))  [Formula 42] where e(p,q):=Π_(i=1) ^(N)e(χ_(i)b_(i),η_(i)b*_(i)) p:=Σ_(i=1) ^(N)χ_(i)b_(i), q:=Σ_(i=1) ^(N)η_(i)b_(i)*, χ_(i),η_(i): predetermined values.
 26. A cryptographic processing system that performs a predicate encryption process using dual modules of a space V and a space V* paired through a pairing operation shown in Formula 43, the cryptographic processing system comprising: an encryption device that, using a processing device, generates as a cipher vector c₁ a vector of a basis B̂, the basis B̂ having, out of basis vectors b_(i) (i=1, . . . , n, . . . , N) (N being an integer of 3 or greater and n being an integer from 1 to N−2) that constitute a predetermined basis B of the space V, basis vectors b_(i) (i=1, . . . , n) and a basis vector d_(n+) ₁ which is a sum of two or more basis vectors b_(i) (i=n+1, . . . , m) out of the basis vectors b_(i) (i=n+1, . . . , N), the cipher vector c₁ being the vector in which attribute information is embedded as coefficients of one or more basis vectors out of the basis vector b_(i) (i=1, . . . , n), and predetermined information is embedded as a coefficient of the basis vector d_(n+1); and a decryption device that, using the processing device, performs the pairing operation e (c₁,k*_(L,dec)) shown in Formula 43 on the cipher vector c₁ generated by the encryption device and a key vector k*_(L,dec) to decrypt the cipher vector c₁ and to extract a value concerning the predetermined information, the key vector k*_(L,dec) being a vector of a basis B* of the space V* and constructed such that predicate information is embedded as coefficients of one or more basis vectors of basis vectors b*_(i) (i=1, . . . , n) out of basis vectors b*_(i) (i=1, . . . , n, . . . , N) that constitute the basis B*, and coefficients of basis vectors b*_(i) (i=n+1, . . . , m) of the basis B* are embedded such that a sum of the coefficients of the basis vectors b*_(i) (i=n+1, . . . , m) is
 1. e(p,q):=Π_(i=1) ^(N) e(χ_(i) b _(i),η_(i) b* _(i))  [Formula 43] where p:=Σ_(i=1) ^(N)χ_(i)b_(i), q:=Σ_(i=1) ^(N)η_(i)b_(i)*, χ_(i),η_(i): predetermined values.
 27. A key generation device that generates a key vector k*_(L,dec) which is a secret key in a predicate encryption scheme, the key generation device comprising: a master key storage unit that, when a space V and a space V* are dual modules paired through a pairing operation, stores in a storage device a predetermined basis B* of the space V*; and a key vector generation unit that, using a processing device, generates as the key vector k*_(L,dec) a vector in which predicate information is set as coefficients of one or more basis vectors b*_(i) (i=1, . . . , μ_(L)) of basis vector b*_(i) (i=1, . . . , n) out of basis vectors b*_(i) (i=n, . . . , N) (N being an integer of 3 or greater and n being an integer from 1 to N−2) that constitute the basis B* stored by the master key storage unit, and coefficients of two or more predetermined basis vectors out of basis vectors b*_(i) (i=n+1, . . . , N) are set such that a sum of the coefficients of the two or more predetermined basis vectors is
 1. 28. A key delegation device that generates a key vector k*_(L+1,dec) that can decrypt one or more, but not all, of cipher vectors that can be decrypted by a key vector k*_(L,dec) which is a secret key in a predicate encryption scheme, the key delegation device comprising: a key vector acquisition unit that, when a space V and a space V* are dual modules paired through a pairing operation, obtains the key vector k*_(L,dec) in which predicate information is set as coefficients of one or more basis vectors b*_(i) (i=_(ILL)) of basis vectors b*_(i) (i=1, . . . , n) out of basis vector b*_(i) (i=1, . . . , n, . . . , N) (N being an integer of 3 or greater and n being an integer from 1 to N−2) that constitute a predetermined basis B* of the space V*, and coefficients of two or more predetermined basis vectors out of basis vectors b*_(i) (i=n+1, . . . , N) are set such that a sum of the coefficients of the two or more predetermined basis vectors is 1; a key-generation vector acquisition unit that obtains at least an (n−μ_(L)) number of key-generation vectors k*_(L,del,j) in which a predetermined value is set as a coefficient of a basis vector b*_(j) for at least each j of j=μ_(l)+1, . . . , n; and a key vector generation unit that generates the key vector k*_(L+1,dec) by multiplying by predicate information a coefficient of each basis vector of one or more key-generation vectors k*_(L,del,j) out of the key generation vectors k*_(L,del,j) obtained by the key-generation vector acquisition unit and adding each result to the key vector k*_(L,dec) obtained by the key vector acquisition unit.
 29. An encryption device comprising: a public key acquisition unit that, when a space V and a space V* are dual modules paired through a pairing operation, obtains a basis B̂ and predetermined attribute information, the basis B̂ having, out of basis vector b_(i) (i=1, . . . , n, . . . , N) (N being an integer of 3 or greater and n being an integer from 1 to N−2) that constitute a predetermined basis B of the space V, basis vectors b_(i) (i=1, . . . , n) and a basis vector d_(n+1) which is a sum of two or more predetermined basis vectors out of basis vectors b_(i) (i=n+1, . . . , N); a transmission information setting unit that, using a processing device, generates as a transmission information vector ζv vector of the basis B̂ obtained by the public key acquisition unit, the transmission information vector ζvbeing the vector in which predetermined information is set as a coefficient of the basis vector_(d+1); and a cipher vector generation unit that, using the processing device, generates the cipher vector c₁ by adding an attribute information vector in which attribute information is set as coefficients of one or more basis vectors out of the basis vectors b_(i) (i=1, . . . , n) of the basis B̂ to the transmission information vector ζv generated by the transmission information setting unit.
 30. A decryption device comprising: a vector input unit that, when a space V and a space V* are dual modules paired through a pairing operation, inputs a cipher vector c₁ of a basis B̂, the basis B̂ having, out of basis vectors b_(i) (i=1, . . . , n, . . . , N) (N being an integer of 3 or greater and n being an integer from 1 to N−2) that constitute a predetermined basis B of the space V, basis vectors b_(i) (i=1, . . . , n) and a basis vector d_(n+1) which is a sum of two or more predetermined basis vectors out of basis vectors b_(i) (i=n+1, . . . , N), the cipher vector c₁ being a vector in which attribute information is set as coefficients of at least basis vectors b_(i) (i=1, . . . , μ_(h)) out of the basis vectors b_(i) (i=1, . . . , n) and predetermined information is set as a coefficient of the basis vector d_(n+1); a key vector storage unit that stores in a storage device a key vector k*_(L,dec) in which predicate information v_(i) (i=1, . . . , μ_(L)) is set as coefficients of at least basis vectors b*_(i) (i=1, . . . , μ_(L)) (μ_(L)≦μ_(h)) of basis vectors b*_(i) (i=1, . . . , n) out of basis vectors b*_(i) (i=1, . . . , n, . . . , N) of a predetermined basis B* of the space V*, and coefficients of basis vectors b*, corresponding to the basis vectors b_(i) that constitute the basis vector d_(n+1) are set such that a sum of the coefficients of the basis vectors b*_(i) is 1; and a pairing operation unit that, using a processing device, performs the pairing operation on the cipher vector c₁ input by the vector input unit and the key vector k*_(L,dec) stored by the key vector storage unit to extract from the cipher vector c₁ a value concerning the predetermined information.
 31. A cryptographic processing method of performing a predicate encryption process using dual vector spaces of a space V and a space V* paired through a pairing operation shown in Formula 44, the cryptographic processing method comprising: generating as a cipher vector c₁ a vector of a basis B̂, the basis B̂ having, out of basis vectors b_(i) (i=1, . . . , n, . . . , N) (N being an integer of 3 or greater and n being an integer from 1 to N−2) that constitute a predetermined basis B of the space V, basis vectors b_(i) (i=1, . . . , n) and a basis vector d_(n+1) which is a sum of two or more basis vectors b_(i) (i=n+1, . . . , m) out of the basis vectors b_(i) (i=n+1, . . . , N), the cipher vector c₁ being the vector in which attribute information is embedded as coefficients of one or more basis vectors out of the basis vector b_(i) (i=1, . . . , n), and predetermined information is embedded as a coefficient of the basis vector d_(n+1); and performing the pairing operation e (c₁, k*_(L,dec)) shown in Formula 44 on the cipher vector c₁ generated and key vector k*_(L,dec) to decrypt the cipher vector c₁ and to extract a value concerning the predetermined information, the key vector k*_(L,dec) being a vector of a basis B* of the space V* and constructed such that predicate information is embedded as coefficients of one or more basis vectors of basis vectors b*_(i) (i=1, . . . , n) out of basis vectors b*_(i) (i=1, . . . , n, . . . , N) that constitute the basis B*, and coefficients of basis vectors b* (i=n+1, . . . , m) of the basis B* are embedded such that a sum of the coefficients of the basis vectors b* (i=n+1, . . . , m) is
 1. e(p,q):=Π_(i=1) ^(N) e(χ_(i) b _(i),η_(i) b* _(i))  [Formula 44] where p:=Σ_(i=1) ^(N)χ_(i)b_(i), q:=Σ_(i=1) ^(N)η_(i)b_(i)*, χ_(i),η_(i): predetermined values.
 32. A cryptographic processing program that performs a predicate encryption process using dual vector spaces of a space V and a space V* paired through a pairing operation shown in Formula 45, the cryptographic processing program causing a computer to execute: an encryption process that generates as a cipher vector c₁ a vector of a basis B̂, the basis B̂ having, out of basis vectors b_(i) (i=1, . . . , n, . . . , N) (N being an integer of 3 or greater and n being an integer from 1 to N−2) that constitute a predetermined basis B of the space V, basis vectors b_(i) (i=1, . . . , n) and a basis vector d_(n+1) which is a sum of two or more basis vectors b_(i) (i=n+1, . . . , m) out of basis vectors b_(i) (i=n+1, . . . , N), the cipher vector c₁ being the vector in which attribute information is embedded as coefficients of one or more basis vectors out of the basis vector b_(i) (i=1, . . . , n), and predetermined information is embedded as a coefficient of the basis vector d_(n+1); and a decryption process that performs the pairing operation e (c₁, k*_(L,dec)) shown in Formula 45 on the cipher vector c₁ generated by the encryption device and a key vector k*_(L,dec) to decrypt the cipher vector c₁ and to extract a value concerning the predetermined information, the key vector k*_(L,dec) being a vector of a basis B* of the space V* and constructed such that predicate information is embedded as coefficients of one or more basis vectors of basis vectors b*_(i) (i=1, . . . , n) out of basis vectors b*_(i) (i=1, . . . , n, . . . , N) that constitute the basis B*, and coefficients of basis vectors b*_(i) (i=n+1, . . . , m) of the basis B* are embedded such that a sum of the coefficients of the basis vectors b*_(i)=n+1, . . . , m) is
 1. e(p,q):=Π_(i=1) ^(N) e(χ_(i) b _(i),η_(i) b* _(i))  [Formula 45] where p:=Σ_(i=1) ^(N)χ_(i)b_(i), q:=Σ_(i=1) ^(N)η_(i)b_(i)*, χ_(i),η_(i): predetermined values. 